Custom module to handle LDAP query returning multiple results?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Jan 20 17:33:32 CET 2018



> On Jan 19, 2018, at 6:32 AM, Nicolas Reich <nicolas.reich at switch.ch> wrote:
> 
> Hello,
> 
> The system looks like this: the users are each affiliated to one or more organisations. For each affiliation to an organisation, there's an entry in LDAP. So there can be several entries for the same user, each one with a different organisation. Now, granted the rest of the authentication process goes well, the user is accepted if he or she is affiliated to one of the whitelisted organisations, i.e. there is at least one entry with their name and a whitelisted organisation.
> 
> This should be pretty straightforward to check: get all entries for the user, and check if at least one is for a whitelisted organisation. Except the ldap module throws an error if the search returns more than one result, and I can't use server-side sorting because it is an openldap server, which doesn't implement the ldap_create_sort_control function. (I think, I might have gotten that wrong though.)

OpenLDAP does support server side sorting, you need to load/configure the slapo-sssvlv overlay. You can then sort the results server side by one or more attributes.

If you're really intent on writing code, it would likely be easier to write something to do client side sorting.

The point here is to make sure the same result is used consistently, as there's no guarantee results from the server will be returned in the same order.

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180120/30dc4c4c/attachment.sig>


More information about the Freeradius-Users mailing list