From: Arran Cudbard-Bell Date: Mon, 4 Sep 2023 09:00:06 +0000 (-0600) Subject: ldap: Make profile search scope configurable X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53603fb6e3cc1623eb4a40b226e8a897cb7f7a00;p=thirdparty%2Ffreeradius-server.git ldap: Make profile search scope configurable ... because reasons. --- diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index a0b944344d0..c775687bad6 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -488,6 +488,14 @@ ldap { # # filter = '(objectclass=radiusprofile)' + # + # scope:: Search scope, may be `base`, `one`, `sub` or `children`. + # + # Should usually be left as "base", to retrieve the specific profile + # specified by 'default' or in the user or group objects. + # +# scope = 'base' + # # default:: The default profile. This may be a DN or an attribute reference. # diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 202ecd902f1..ba63c9cad1f 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -71,6 +71,8 @@ static const call_env_t sasl_call_env[] = { }; static CONF_PARSER profile_config[] = { + { FR_CONF_OFFSET("scope", FR_TYPE_INT32, rlm_ldap_t, profile_scope), .dflt = "base", + .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } }, { FR_CONF_OFFSET("attribute", FR_TYPE_STRING, rlm_ldap_t, profile_attr) }, { FR_CONF_OFFSET("attribute_suspend", FR_TYPE_STRING, rlm_ldap_t, profile_attr_suspend) }, CONF_PARSER_TERMINATOR @@ -88,7 +90,8 @@ static const call_env_t autz_profile_call_env[] = { * User configuration */ static CONF_PARSER user_config[] = { - { FR_CONF_OFFSET("scope", FR_TYPE_STRING, rlm_ldap_t, userobj_scope_str), .dflt = "sub" }, + { FR_CONF_OFFSET("scope", FR_TYPE_INT32, rlm_ldap_t, userobj_scope), .dflt = "sub", + .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } }, { FR_CONF_OFFSET("sort_by", FR_TYPE_STRING, rlm_ldap_t, userobj_sort_by) }, { FR_CONF_OFFSET("access_attribute", FR_TYPE_STRING, rlm_ldap_t, userobj_access_attr) }, @@ -123,7 +126,8 @@ user_call_env(memberof, ldap_memberof_call_env_t); */ static CONF_PARSER group_config[] = { { FR_CONF_OFFSET("filter", FR_TYPE_STRING, rlm_ldap_t, groupobj_filter) }, - { FR_CONF_OFFSET("scope", FR_TYPE_STRING, rlm_ldap_t, groupobj_scope_str), .dflt = "sub" }, + { FR_CONF_OFFSET("scope", FR_TYPE_INT32, rlm_ldap_t, groupobj_scope), .dflt = "sub", + .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = fr_ldap_scope, .len = &fr_ldap_scope_len } }, { FR_CONF_OFFSET("name_attribute", FR_TYPE_STRING, rlm_ldap_t, groupobj_name_attr), .dflt = "cn" }, { FR_CONF_OFFSET("membership_attribute", FR_TYPE_STRING, rlm_ldap_t, userobj_membership_attr) }, @@ -1329,7 +1333,7 @@ static unlang_action_t rlm_ldap_map_profile(request_t *request, ldap_autz_ctx_t } return fr_ldap_trunk_search(&ret, profile_ctx, &profile_ctx->query, request, ttrunk, dn, - LDAP_SCOPE_BASE, autz_ctx->call_env->profile_filter.vb_strvalue, + inst->profile_scope, autz_ctx->call_env->profile_filter.vb_strvalue, expanded->attrs, NULL, NULL); } @@ -2343,23 +2347,6 @@ static int mod_instantiate(module_inst_ctx_t const *mctx) } } - /* - * Convert scope strings to enumerated constants - */ - inst->userobj_scope = fr_table_value_by_str(fr_ldap_scope, inst->userobj_scope_str, -1); - if (inst->userobj_scope < 0) { - cf_log_err(conf, "Invalid 'user.scope' value \"%s\", expected 'sub', 'one', 'base' or 'children'", - inst->userobj_scope_str); - goto error; - } - - inst->groupobj_scope = fr_table_value_by_str(fr_ldap_scope, inst->groupobj_scope_str, -1); - if (inst->groupobj_scope < 0) { - cf_log_err(conf, "Invalid 'group.scope' value \"%s\", expected 'sub', 'one', 'base' or 'children'", - inst->groupobj_scope_str); - goto error; - } - /* * Build the server side sort control for user objects */ diff --git a/src/modules/rlm_ldap/rlm_ldap.h b/src/modules/rlm_ldap/rlm_ldap.h index b55d634475c..360d14208db 100644 --- a/src/modules/rlm_ldap/rlm_ldap.h +++ b/src/modules/rlm_ldap/rlm_ldap.h @@ -44,7 +44,6 @@ typedef struct { /* * User object attributes and filters */ - char const *userobj_scope_str; //!< Scope (sub, one, base). char const *userobj_sort_by; //!< List of attributes to sort by. LDAPControl *userobj_sort_ctrl; //!< Server side sort control. @@ -69,7 +68,6 @@ typedef struct { * Group object attributes and filters */ char const *groupobj_filter; //!< Filter to retrieve only group objects. - char const *groupobj_scope_str; //!< Scope (sub, one, base). int groupobj_scope; //!< Search scope. char const *groupobj_name_attr; //!< The name of the group. @@ -104,6 +102,7 @@ typedef struct { /* * Profiles */ + int profile_scope; //!< Search scope. char const *profile_attr; //!< Attribute that identifies profiles to apply. May appear //!< in userobj or groupobj. char const *profile_attr_suspend; //!< Attribute that identifies profiles to apply when the user's