[v3] LDAP access_attribute

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Nov 27 00:15:23 CET 2013 

On 26 Nov 2013, at 18:01, Hachmer, Tobias <Tobias.Hachmer at stadt-frankfurt.de> wrote:

> Hello Arran,
> ________________________________________
> Von: freeradius-users-bounces+tobias.hachmer=stadt-frankfurt.de at lists.freeradius.org [freeradius-users-bounces+tobias.hachmer=stadt-frankfurt.de at lists.freeradius.org]" im Auftrag von "Arran Cudbard-Bell [a.cudbardb at freeradius.org]
> Gesendet: Dienstag, 26. November 2013 18:19
> An: FreeRadius users mailing list
> Betreff: Re: [v3] LDAP access_attribute
> 
> On 26 Nov 2013, at 10:55, Hachmer, Tobias <Tobias.Hachmer at stadt-frankfurt.de> wrote:
>>> what are the considerations to change the behavior regarding “access_attribute” in ldap from the “access_attr” in v2?
>>> From a ldap perspective is it easier to administer user objects in ldap when you can see directly if a user has access or not.
>> Hmm the comment in mods-available/ldap is misleading. I'll fix it.
>> If you set access_positive 'yes' and the string value of the attribute is 'false', the user will still be locked out.
> 
> Yeah, from mods-available/ldap I understood that (access_positive = yes) only the existence of the attribute controls whether the user is locked out or not irrespective of the attributes value.
> 
>> The idea behind the new logic is to support:
>> userAccountEnabled (access_positive = yes)
>> userAccountDisabled (access_positive = no)
> 
> Please don't misunderstand me. The new logic "access_positive" is quite good. This is not my point I am talking about.

I know.

> Yeah, my point is that the attribute's (e.g. userAccountDisabled) value (e.g. a simple boolean TRUE/ FALSE) should control whether the user is locked out or not, not the existence on its own.
> The code changes you have made respect this?

Have a truth table...

present	access_positive	'false'	locked?
T	F		T	F
T	F		F	T
T	T		T	T
T	T		F	F
F	F		-	T
F	T		-	F

Where 'false' is a strcmp between the value and the word false.

> Here the words "existing" and "present" are a bit confusing. From my point of view the explanation would be much clearer and better to understand if you give examples with contents,

I agree. I'll do some further tweaks tomorrow.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list