A BAD DN result is pretty much the same as an empty result

author Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Wed, 28 Aug 2024 22:28:13 +0000 (17:28 -0500)

committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>

Wed, 28 Aug 2024 22:28:50 +0000 (17:28 -0500)
author Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Wed, 28 Aug 2024 22:28:13 +0000 (17:28 -0500)
committer Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Wed, 28 Aug 2024 22:28:50 +0000 (17:28 -0500)
diff --git a/src/modules/rlm_ldap/user.c b/src/modules/rlm_ldap/user.c

index fa3f29e85f985b1c02e5141d4d0675c3f4bc7c14..dfbcc06a73697e8db249b2c668185994f9f30f15 100644 (file)
--- a/src/modules/rlm_ldap/user.c
+++ b/src/modules/rlm_ldap/user.c
@@ -64,6 +64,10 @@ static unlang_action_t ldap_find_user_async_result(rlm_rcode_t *p_result, UNUSED
                 break;
  
         case LDAP_RESULT_NO_RESULT:
+       /*
+        *      DNs can now be dynamic, so a BAD DN often means the same thing as an empty result
+        */
+       case LDAP_RESULT_BAD_DN:
                 RETURN_MODULE_NOTFOUND;
  
         default:
diff --git a/src/tests/modules/ldap/dynamic_dn.unlang b/src/tests/modules/ldap/dynamic_dn.unlang

new file mode 100644 (file)

index 0000000..de8cc65
--- /dev/null
+++ b/src/tests/modules/ldap/dynamic_dn.unlang
@@ -0,0 +1,17 @@
+
+string base_dn
+
+&base_dn=%ldap.uri.safe('dc=example,dc=com')
+ldap_dynamic_dn
+if (!ok) {
+       test_fail
+}
+
+# Bad DN
+&base_dn := %ldap.uri.safe('dc=example,dc=foo,dc=com')
+ldap_dynamic_dn
+if (!notfound) {
+       test_fail
+}
+
+test_pass
diff --git a/src/tests/modules/ldap/module.conf b/src/tests/modules/ldap/module.conf

index 6d6b01dca8581f9c9264a3fae9e873132466024a..bb3633a30500df951cd67d0b1bf92831f67657f0 100644 (file)
--- a/src/tests/modules/ldap/module.conf
+++ b/src/tests/modules/ldap/module.conf
@@ -867,3 +867,50 @@ ldap ldapsaslproxy {
                 start = 0
         }
  }
+
+#
+#  LDAP module configured with a bad base DN
+#
+ldap ldap_dynamic_dn {
+       server = "ldapi://%2Ftmp%2Fldap%2Fsocket"
+
+       sasl {
+               mech = "EXTERNAL"
+       }
+
+       user {
+               base_dn = "ou=people,%{base_dn}"
+               filter = "(uid=%{%{Stripped-User-Name} || %{User-Name}})"
+               sasl {
+                       mech = 'DIGEST-MD5'
+                       authname = &User-Name
+               }
+       }
+
+       options {
+               chase_referrals = yes
+               rebind = yes
+               referral_depth = 2
+               timeout = 10
+               timelimit = 3
+               idle = 60
+               probes = 3
+               interval = 3
+       }
+
+       pool {
+               start = 0
+               min = 1
+               max = 4
+               spare = 3
+               uses = 0
+               lifetime = 0
+               idle_timeout = 60
+               retry_delay = 1
+       }
+
+       bind_pool {
+               start = 0
+       }
+}
+
author	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Wed, 28 Aug 2024 22:28:13 +0000 (17:28 -0500)
committer	Arran Cudbard-Bell <a.cudbardb@freeradius.org>
	Wed, 28 Aug 2024 22:28:50 +0000 (17:28 -0500)
src/modules/rlm_ldap/user.c		patch \| blob \| blame \| history
src/tests/modules/ldap/dynamic_dn.unlang	[new file with mode: 0644]	patch \| blob
src/tests/modules/ldap/module.conf		patch \| blob \| blame \| history