[Patch] rlm_ldap: Allow users to match more than one group

Graham Leggett minfrin at sharp.fm
Wed Jan 11 15:41:15 CET 2012


On 11 Jan 2012, at 3:06 PM, Phil Mayers wrote:

> I'm not sure I understand the circumstances in which this occurs. Can you give an example of it failing?
> 
> rlm_ldap takes the "groupmembership_filter" you give it, and then ANDs it with groupname=value, like so:
> 
> final_filter = sprintf("(&(%s=%s)%s)"
>  groupname_attr,
>  groupname,
>  groupmembership_filter
> )
> 
> This query will end up looking something like this:
> 
> (&(cn=TheGroup)(|(member=<LDAP DN>)(uniquemember=<LDAP DN>)))
> 
> ...and should never return >1 hit.

That assumes you're searching using a group name.

In my case, I have an attribute that has a value that means "give this group of people access to radius", and for some people, they will be members of more than one group. In the process, they are denied access because 2 or more values come back. This patch gives the admin the power to support this scenario when it is required.

Regards,
Graham
--

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4365 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120111/2c407f26/attachment.bin>


More information about the Freeradius-Users mailing list