ldap: Make profile search scope configurable

... because reasons.

diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap
index a0b944344d0f08ef6b3323a6af2abfa179878cbd..c775687bad689e22edb56233705238589b1cbaab 100644 (file)
--- a/raddb/mods-available/ldap
+++ b/raddb/mods-available/ldap
@@ -488,6 +488,14 @@ ldap {
                #
 #              filter = '(objectclass=radiusprofile)'
 
+               #
+               #  scope:: Search scope, may be `base`, `one`, `sub` or `children`.
+               #
+               #  Should usually be left as "base", to retrieve the specific profile
+               #  specified by 'default' or in the user or group objects.
+               #
+#              scope = 'base'
+
                #
                #  default:: The default profile. This may be a DN or an attribute reference.
                #

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 202ecd902f12dfc93efa947513e0717071694180..ba63c9cad1f48c1bf29bbc1f54734a6fa2b2a245 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -71,6 +71,8 @@ static const call_env_t sasl_call_env[] = {
 };
 
 static CONF_PARSER profile_config[] = {
+       { FR_CONF_OFFSET("scope", FR_TYPE_INT32, rlm_ldap_t, profile_scope), .dflt = "base",
+         .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
        { FR_CONF_OFFSET("attribute", FR_TYPE_STRING, rlm_ldap_t, profile_attr) },
        { FR_CONF_OFFSET("attribute_suspend", FR_TYPE_STRING, rlm_ldap_t, profile_attr_suspend) },
        CONF_PARSER_TERMINATOR
@@ -88,7 +90,8 @@ static const call_env_t autz_profile_call_env[] = {
  *     User configuration
  */
 static CONF_PARSER user_config[] = {
-       { FR_CONF_OFFSET("scope", FR_TYPE_STRING, rlm_ldap_t, userobj_scope_str), .dflt = "sub" },
+       { FR_CONF_OFFSET("scope", FR_TYPE_INT32, rlm_ldap_t, userobj_scope), .dflt = "sub",
+         .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } },
        { FR_CONF_OFFSET("sort_by", FR_TYPE_STRING, rlm_ldap_t, userobj_sort_by) },
 
        { FR_CONF_OFFSET("access_attribute", FR_TYPE_STRING, rlm_ldap_t, userobj_access_attr) },
@@ -123,7 +126,8 @@ user_call_env(memberof, ldap_memberof_call_env_t);
  */
 static CONF_PARSER group_config[] = {
        { FR_CONF_OFFSET("filter", FR_TYPE_STRING, rlm_ldap_t, groupobj_filter) },
-       { FR_CONF_OFFSET("scope", FR_TYPE_STRING, rlm_ldap_t, groupobj_scope_str), .dflt = "sub" },
+       { FR_CONF_OFFSET("scope", FR_TYPE_INT32, rlm_ldap_t, groupobj_scope), .dflt = "sub",
+         .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len }  },
 
        { FR_CONF_OFFSET("name_attribute", FR_TYPE_STRING, rlm_ldap_t, groupobj_name_attr), .dflt = "cn" },
        { FR_CONF_OFFSET("membership_attribute", FR_TYPE_STRING, rlm_ldap_t, userobj_membership_attr) },
@@ -1329,7 +1333,7 @@ static unlang_action_t rlm_ldap_map_profile(request_t *request, ldap_autz_ctx_t
        }
 
        return fr_ldap_trunk_search(&ret, profile_ctx, &profile_ctx->query, request, ttrunk, dn,
-                                   LDAP_SCOPE_BASE, autz_ctx->call_env->profile_filter.vb_strvalue,
+                                   inst->profile_scope, autz_ctx->call_env->profile_filter.vb_strvalue,
                                    expanded->attrs, NULL, NULL);
 }
 
@@ -2343,23 +2347,6 @@ static int mod_instantiate(module_inst_ctx_t const *mctx)
                }
        }
 
-       /*
-        *      Convert scope strings to enumerated constants
-        */
-       inst->userobj_scope = fr_table_value_by_str(fr_ldap_scope, inst->userobj_scope_str, -1);
-       if (inst->userobj_scope < 0) {
-               cf_log_err(conf, "Invalid 'user.scope' value \"%s\", expected 'sub', 'one', 'base' or 'children'",
-                          inst->userobj_scope_str);
-               goto error;
-       }
-
-       inst->groupobj_scope = fr_table_value_by_str(fr_ldap_scope, inst->groupobj_scope_str, -1);
-       if (inst->groupobj_scope < 0) {
-               cf_log_err(conf, "Invalid 'group.scope' value \"%s\", expected 'sub', 'one', 'base' or 'children'",
-                          inst->groupobj_scope_str);
-               goto error;
-       }
-
        /*
         *      Build the server side sort control for user objects
         */

diff --git a/src/modules/rlm_ldap/rlm_ldap.h b/src/modules/rlm_ldap/rlm_ldap.h
index b55d634475c0faf16e11fba44230701d6631b88b..360d14208dbf41c210d61fb7c893b7c5344ab8fa 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.h
+++ b/src/modules/rlm_ldap/rlm_ldap.h
@@ -44,7 +44,6 @@ typedef struct {
        /*
         *      User object attributes and filters
         */
-       char const      *userobj_scope_str;             //!< Scope (sub, one, base).
        char const      *userobj_sort_by;               //!< List of attributes to sort by.
        LDAPControl     *userobj_sort_ctrl;             //!< Server side sort control.
 
@@ -69,7 +68,6 @@ typedef struct {
         *      Group object attributes and filters
         */
        char const      *groupobj_filter;               //!< Filter to retrieve only group objects.
-       char const      *groupobj_scope_str;            //!< Scope (sub, one, base).
        int             groupobj_scope;                 //!< Search scope.
 
        char const      *groupobj_name_attr;            //!< The name of the group.
@@ -104,6 +102,7 @@ typedef struct {
        /*
         *      Profiles
         */
+       int             profile_scope;                  //!< Search scope.
        char const      *profile_attr;                  //!< Attribute that identifies profiles to apply. May appear
                                                        //!< in userobj or groupobj.
        char const      *profile_attr_suspend;          //!< Attribute that identifies profiles to apply when the user's