From: Arran Cudbard-Bell Date: Thu, 11 Apr 2024 20:48:48 +0000 (-0600) Subject: Apply attribute maps before profiles X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2df16d2ab027cbffb60deb4a9a45bef28a7fa7c;p=thirdparty%2Ffreeradius-server.git Apply attribute maps before profiles --- diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index 8de2aec42bf..3c11751c60b 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -182,6 +182,9 @@ ldap { # section name to set default destination requests/lists # for `s` with no list qualifiers. # + # These attribute maps are applied _before_ any profiles, meaning that + # the values here can be referenced in profiles using expansions. + # # NOTE: LDAP attribute names should be single quoted unless you want # the name to be derived from an xlat expansion, or an attribute ref. # diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index ee7141b6556..8c16ac53ec7 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -1631,6 +1631,7 @@ static unlang_action_t mod_authorize_resume(rlm_rcode_t *p_result, UNUSED int *p goto skip_edir; case LDAP_AUTZ_POST_EDIR: + { /* * The result of the eDirectory user bind will be in p_result. * Anything other than RLM_MODULE_OK is a failure. @@ -1640,8 +1641,25 @@ static unlang_action_t mod_authorize_resume(rlm_rcode_t *p_result, UNUSED int *p goto finish; } + } + FALL_THROUGH; + +#endif + case LDAP_AUTZ_MAP: +#ifdef WITH_EDIR skip_edir: #endif + if (!map_list_empty(call_env->user_map) || inst->valuepair_attr) { + RDEBUG2("Processing user attributes"); + RINDENT(); + if (fr_ldap_map_do(request, inst->valuepair_attr, + &autz_ctx->expanded, autz_ctx->entry) > 0) rcode = RLM_MODULE_UPDATED; + REXDENT(); + rlm_ldap_check_reply(request, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk); + } + FALL_THROUGH; + + case LDAP_AUTZ_DEFAULT_PROFILE: /* * Apply ONE user profile, or a default user profile. */ @@ -1743,17 +1761,6 @@ static unlang_action_t mod_authorize_resume(rlm_rcode_t *p_result, UNUSED int *p break; } } - FALL_THROUGH; - - case LDAP_AUTZ_MAP: - if (!map_list_empty(call_env->user_map) || inst->valuepair_attr) { - RDEBUG2("Processing user attributes"); - RINDENT(); - if (fr_ldap_map_do(request, inst->valuepair_attr, - &autz_ctx->expanded, autz_ctx->entry) > 0) rcode = RLM_MODULE_UPDATED; - REXDENT(); - rlm_ldap_check_reply(request, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk); - } } finish: diff --git a/src/modules/rlm_ldap/rlm_ldap.h b/src/modules/rlm_ldap/rlm_ldap.h index 5a40a8bec51..3c0f82e810b 100644 --- a/src/modules/rlm_ldap/rlm_ldap.h +++ b/src/modules/rlm_ldap/rlm_ldap.h @@ -167,9 +167,10 @@ typedef enum { LDAP_AUTZ_EDIR_BIND, LDAP_AUTZ_POST_EDIR, #endif + LDAP_AUTZ_MAP, + LDAP_AUTZ_DEFAULT_PROFILE, LDAP_AUTZ_POST_DEFAULT_PROFILE, LDAP_AUTZ_USER_PROFILE, - LDAP_AUTZ_MAP } ldap_autz_status_t; /** User's access state