# to indicate that the user should be suspended.
#
# access_value_suspend = 'suspended'
+
+ #
+ # expect_password:: When set to no, disable warnings for missing password
+ # attributes in user objects returned from LDAP. This is useful for
+ # ISP environments where some subscribers have passwords set, and others
+ # do not (e.g. mixed IPoE and PPPoE).
+ #
+# expect_password = no
}
#
{ FR_CONF_OFFSET("access_positive", rlm_ldap_t, user.access_positive), .dflt = "yes" },
{ FR_CONF_OFFSET("access_value_negate", rlm_ldap_t, user.access_value_negate), .dflt = "false" },
{ FR_CONF_OFFSET("access_value_suspend", rlm_ldap_t, user.access_value_suspend), .dflt = "suspended" },
+ { FR_CONF_OFFSET_IS_SET("expect_password", FR_TYPE_BOOL, 0, rlm_ldap_t, user.expect_password) },
CONF_PARSER_TERMINATOR
};
if (fr_ldap_map_do(request, inst->valuepair_attr,
&autz_ctx->expanded, autz_ctx->entry) > 0) rcode = RLM_MODULE_UPDATED;
REXDENT();
- rlm_ldap_check_reply(request, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk);
+ rlm_ldap_check_reply(request, inst, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk);
}
FALL_THROUGH;
char const *access_value_suspend; //!< Value that indicates suspension. Is not affected by
///< access_positive and will always allow access, but will apply
///< a different profile.
+ bool expect_password; //!< Allow the user to forcefully decide if a password should be
+ ///< expected. Controls whether warnings are issued.
+ bool expect_password_is_set; //!< Whether an expect password value was provided.
} user;
/*
ldap_access_state_t rlm_ldap_check_access(rlm_ldap_t const *inst, request_t *request, LDAPMessage *entry);
-void rlm_ldap_check_reply(request_t *request, char const *inst_name, bool expect_password, fr_ldap_thread_trunk_t const *ttrunk);
+void rlm_ldap_check_reply(request_t *request, rlm_ldap_t *inst, char const *inst_name, bool expect_password, fr_ldap_thread_trunk_t const *ttrunk);
/*
* groups.c - Group membership functions.
* Expect_password is set when we process the mapping, and is only true if there was a mapping between
* an LDAP attribute and a password reference attribute in the control list.
*/
- if (!expect_password || !RDEBUG_ENABLED2) return;
+ if ((inst->user.expect_password_is_set && !inst->user.expect_password) || !expect_password || !RDEBUG_ENABLED2) return;
parent = fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_password);
if (!parent) parent = request->control_ctx;
projects / thirdparty / freeradius-server.git / commitdiff
