]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 43c0300)
make LDAP use flat or nested attributes
authorJorge Pereira <jpereira@freeradius.org>
Fri, 26 May 2023 01:54:24 +0000 (22:54 -0300)
committerArran Cudbard-Bell <a.cudbardb@freeradius.org>
Mon, 29 May 2023 21:02:48 +0000 (16:02 -0500)
src/modules/rlm_ldap/rlm_ldap.c patch | blob | blame | history
src/modules/rlm_ldap/rlm_ldap.h patch | blob | blame | history
src/modules/rlm_ldap/user.c patch | blob | blame | history

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 145a21f8a1b512ac66a245d474260cef20426dc6..461d578a4c15e8c20f00a6ad19e565807d58a41e 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -251,6 +251,7 @@ fr_dict_autoload_t rlm_ldap_dict[] = {
        { NULL }
 };
 
+fr_dict_attr_t const *attr_password;
 fr_dict_attr_t const *attr_cleartext_password;
 fr_dict_attr_t const *attr_crypt_password;
 fr_dict_attr_t const *attr_ldap_userdn;
@@ -262,6 +263,7 @@ fr_dict_attr_t const *attr_user_name;
 
 extern fr_dict_attr_autoload_t rlm_ldap_dict_attr[];
 fr_dict_attr_autoload_t rlm_ldap_dict_attr[] = {
+       { .out = &attr_password, .name = "Password", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
        { .out = &attr_cleartext_password, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
        { .out = &attr_crypt_password, .name = "Password.Crypt", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
        { .out = &attr_ldap_userdn, .name = "LDAP-UserDN", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
@@ -1388,7 +1390,7 @@ static unlang_action_t mod_authorize_resume(rlm_rcode_t *p_result, UNUSED int *p
                /*
                 *      We already have a Password.Cleartext.  Skip edir.
                 */
-               if (fr_pair_find_by_da(&request->control_pairs, NULL, attr_cleartext_password)) goto skip_edir;
+               if (fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_cleartext_password)) goto skip_edir;
 
                /*
                 *      Retrieve Universal Password if we use eDirectory
diff --git a/src/modules/rlm_ldap/rlm_ldap.h b/src/modules/rlm_ldap/rlm_ldap.h
index f9ca698a10def80cd02e79f901c88ff00144b9b9..f8d4301b5de583e519fb85d5f0d74bcca8be0080 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.h
+++ b/src/modules/rlm_ldap/rlm_ldap.h
@@ -205,6 +205,7 @@ typedef struct {
        bool                            found;
 } ldap_memberof_xlat_ctx_t;
 
+extern HIDDEN fr_dict_attr_t const *attr_password;
 extern HIDDEN fr_dict_attr_t const *attr_cleartext_password;
 extern HIDDEN fr_dict_attr_t const *attr_crypt_password;
 extern HIDDEN fr_dict_attr_t const *attr_ldap_userdn;
diff --git a/src/modules/rlm_ldap/user.c b/src/modules/rlm_ldap/user.c
index 7ae36a8784e2f354179b31790114d8e226b144aa..8de714c678bf2aa47a8985fc186ba3bd83c00963 100644 (file)
--- a/src/modules/rlm_ldap/user.c
+++ b/src/modules/rlm_ldap/user.c
@@ -221,8 +221,9 @@ rlm_rcode_t rlm_ldap_check_access(rlm_ldap_t const *inst, request_t *request, LD
 void rlm_ldap_check_reply(module_ctx_t const *mctx, request_t *request, fr_ldap_thread_trunk_t const *ttrunk)
 {
        rlm_ldap_t      *inst = talloc_get_type_abort(mctx->inst->data, rlm_ldap_t);
+       fr_pair_t       *parent;
 
-       /*
+   /*
        *       More warning messages for people who can't be bothered to read the documentation.
        *
        *       Expect_password is set when we process the mapping, and is only true if there was a mapping between
@@ -230,11 +231,14 @@ void rlm_ldap_check_reply(module_ctx_t const *mctx, request_t *request, fr_ldap_
        */
        if (!inst->expect_password || !RDEBUG_ENABLED2) return;
 
-       if (!fr_pair_find_by_da(&request->control_pairs, NULL, attr_cleartext_password) &&
-           !fr_pair_find_by_da(&request->control_pairs, NULL, attr_nt_password) &&
+       parent = fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_password);
+       if (!parent) parent = request->control_ctx;
+
+       if (!fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_cleartext_password) &&
+           !fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_nt_password) &&
            !fr_pair_find_by_da(&request->control_pairs, NULL, attr_user_password) &&
-           !fr_pair_find_by_da(&request->control_pairs, NULL, attr_password_with_header) &&
-           !fr_pair_find_by_da(&request->control_pairs, NULL, attr_crypt_password)) {
+           !fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_password_with_header) &&
+           !fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_crypt_password)) {
                switch (ttrunk->directory->type) {
                case FR_LDAP_DIRECTORY_ACTIVE_DIRECTORY:
                        RWDEBUG2("!!! Found map between LDAP attribute and a FreeRADIUS password attribute");
Mirror of https://github.com/FreeRADIUS/freeradius-server.git