From: Jorge Pereira Date: Fri, 26 May 2023 01:54:24 +0000 (-0300) Subject: make LDAP use flat or nested attributes X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=706b78ce9a7b154239354434407deb51459bdfed;p=thirdparty%2Ffreeradius-server.git make LDAP use flat or nested attributes --- diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 145a21f8a1b..461d578a4c1 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -251,6 +251,7 @@ fr_dict_autoload_t rlm_ldap_dict[] = { { NULL } }; +fr_dict_attr_t const *attr_password; fr_dict_attr_t const *attr_cleartext_password; fr_dict_attr_t const *attr_crypt_password; fr_dict_attr_t const *attr_ldap_userdn; @@ -262,6 +263,7 @@ fr_dict_attr_t const *attr_user_name; extern fr_dict_attr_autoload_t rlm_ldap_dict_attr[]; fr_dict_attr_autoload_t rlm_ldap_dict_attr[] = { + { .out = &attr_password, .name = "Password", .type = FR_TYPE_TLV, .dict = &dict_freeradius }, { .out = &attr_cleartext_password, .name = "Password.Cleartext", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, { .out = &attr_crypt_password, .name = "Password.Crypt", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, { .out = &attr_ldap_userdn, .name = "LDAP-UserDN", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, @@ -1388,7 +1390,7 @@ static unlang_action_t mod_authorize_resume(rlm_rcode_t *p_result, UNUSED int *p /* * We already have a Password.Cleartext. Skip edir. */ - if (fr_pair_find_by_da(&request->control_pairs, NULL, attr_cleartext_password)) goto skip_edir; + if (fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_cleartext_password)) goto skip_edir; /* * Retrieve Universal Password if we use eDirectory diff --git a/src/modules/rlm_ldap/rlm_ldap.h b/src/modules/rlm_ldap/rlm_ldap.h index f9ca698a10d..f8d4301b5de 100644 --- a/src/modules/rlm_ldap/rlm_ldap.h +++ b/src/modules/rlm_ldap/rlm_ldap.h @@ -205,6 +205,7 @@ typedef struct { bool found; } ldap_memberof_xlat_ctx_t; +extern HIDDEN fr_dict_attr_t const *attr_password; extern HIDDEN fr_dict_attr_t const *attr_cleartext_password; extern HIDDEN fr_dict_attr_t const *attr_crypt_password; extern HIDDEN fr_dict_attr_t const *attr_ldap_userdn; diff --git a/src/modules/rlm_ldap/user.c b/src/modules/rlm_ldap/user.c index 7ae36a8784e..8de714c678b 100644 --- a/src/modules/rlm_ldap/user.c +++ b/src/modules/rlm_ldap/user.c @@ -221,8 +221,9 @@ rlm_rcode_t rlm_ldap_check_access(rlm_ldap_t const *inst, request_t *request, LD void rlm_ldap_check_reply(module_ctx_t const *mctx, request_t *request, fr_ldap_thread_trunk_t const *ttrunk) { rlm_ldap_t *inst = talloc_get_type_abort(mctx->inst->data, rlm_ldap_t); + fr_pair_t *parent; - /* + /* * More warning messages for people who can't be bothered to read the documentation. * * Expect_password is set when we process the mapping, and is only true if there was a mapping between @@ -230,11 +231,14 @@ void rlm_ldap_check_reply(module_ctx_t const *mctx, request_t *request, fr_ldap_ */ if (!inst->expect_password || !RDEBUG_ENABLED2) return; - if (!fr_pair_find_by_da(&request->control_pairs, NULL, attr_cleartext_password) && - !fr_pair_find_by_da(&request->control_pairs, NULL, attr_nt_password) && + parent = fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_password); + if (!parent) parent = request->control_ctx; + + if (!fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_cleartext_password) && + !fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_nt_password) && !fr_pair_find_by_da(&request->control_pairs, NULL, attr_user_password) && - !fr_pair_find_by_da(&request->control_pairs, NULL, attr_password_with_header) && - !fr_pair_find_by_da(&request->control_pairs, NULL, attr_crypt_password)) { + !fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_password_with_header) && + !fr_pair_find_by_da_nested(&parent->vp_group, NULL, attr_crypt_password)) { switch (ttrunk->directory->type) { case FR_LDAP_DIRECTORY_ACTIVE_DIRECTORY: RWDEBUG2("!!! Found map between LDAP attribute and a FreeRADIUS password attribute");