From: Nick Porter Date: Wed, 29 Jan 2025 11:28:39 +0000 (+0000) Subject: Add profile check attr to LDAP search request maps X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fd310e4c4a20e33433b9a0023d48a25bdf17e2f;p=thirdparty%2Ffreeradius-server.git Add profile check attr to LDAP search request maps --- diff --git a/src/lib/ldap/base.h b/src/lib/ldap/base.h index deec044d33b..2998637ea58 100644 --- a/src/lib/ldap/base.h +++ b/src/lib/ldap/base.h @@ -854,7 +854,8 @@ int fr_ldap_map_getvalue(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *reque int fr_ldap_map_verify(map_t *map, void *instance); -int fr_ldap_map_expand(TALLOC_CTX *ctx, fr_ldap_map_exp_t *expanded, request_t *request, map_list_t const *maps, char const *generic_attr); +int fr_ldap_map_expand(TALLOC_CTX *ctx, fr_ldap_map_exp_t *expanded, request_t *request, + map_list_t const *maps, char const *generic_attr, char const *check_attr); int fr_ldap_map_do(request_t *request, char const *valuepair_attr, fr_ldap_map_exp_t const *expanded, LDAPMessage *entry); diff --git a/src/lib/ldap/map.c b/src/lib/ldap/map.c index de9c1b74923..4fed0e90519 100644 --- a/src/lib/ldap/map.c +++ b/src/lib/ldap/map.c @@ -268,7 +268,8 @@ int fr_ldap_map_verify(map_t *map, UNUSED void *instance) * - 0 on success. * - -1 on failure. */ -int fr_ldap_map_expand(TALLOC_CTX *ctx, fr_ldap_map_exp_t *expanded, request_t *request, map_list_t const *maps, char const *generic_attr) +int fr_ldap_map_expand(TALLOC_CTX *ctx, fr_ldap_map_exp_t *expanded, request_t *request, map_list_t const *maps, + char const *generic_attr, char const *check_attr) { map_t const *map = NULL; unsigned int total = 0; @@ -296,6 +297,7 @@ int fr_ldap_map_expand(TALLOC_CTX *ctx, fr_ldap_map_exp_t *expanded, request_t * } if (generic_attr) expanded->attrs[total++] = generic_attr; + if (check_attr) expanded->attrs[total++] = check_attr; expanded->attrs[total] = NULL; expanded->count = total; diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index fe02e5a9618..d7d546669ee 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -1171,7 +1171,7 @@ static xlat_action_t ldap_profile_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor * Synchronous expansion of maps (fixme!) */ if (fr_ldap_map_expand(xlat_ctx, &xlat_ctx->expanded, request, env_data->profile_map, - inst->valuepair_attr) < 0) goto error; + inst->valuepair_attr, inst->profile_check_attr) < 0) goto error; ttrunk = fr_thread_ldap_trunk_get(t, host_url, handle_config->admin_identity, handle_config->admin_password, request, handle_config); if (host) ldap_memfree(host); @@ -1383,7 +1383,7 @@ static unlang_action_t mod_map_proc(rlm_rcode_t *p_result, void const *mod_inst, /* * Expand the RHS of the maps to get the name of the attributes. */ - if (fr_ldap_map_expand(map_ctx, &map_ctx->expanded, request, maps, NULL) < 0) goto fail; + if (fr_ldap_map_expand(map_ctx, &map_ctx->expanded, request, maps, NULL, NULL) < 0) goto fail; /* * If the URL is :/// the parsed host will be NULL - use config default @@ -1869,7 +1869,7 @@ static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, mod * User-Password here. LDAP authorization can be used * for many things besides searching for users. */ - if (fr_ldap_map_expand(autz_ctx, expanded, request, call_env->user_map, inst->valuepair_attr) < 0) { + if (fr_ldap_map_expand(autz_ctx, expanded, request, call_env->user_map, inst->valuepair_attr, NULL) < 0) { fail: talloc_free(autz_ctx); RETURN_MODULE_FAIL;