From: Arran Cudbard-Bell Date: Fri, 12 Apr 2024 01:34:49 +0000 (-0600) Subject: Add expect_password to disable password warnings in rlm_ldap X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc66000093726b009cc038fa4177559283bb2365;p=thirdparty%2Ffreeradius-server.git Add expect_password to disable password warnings in rlm_ldap --- diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index 3c11751c60b..44c0e1f541c 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -373,6 +373,14 @@ ldap { # to indicate that the user should be suspended. # # access_value_suspend = 'suspended' + + # + # expect_password:: When set to no, disable warnings for missing password + # attributes in user objects returned from LDAP. This is useful for + # ISP environments where some subscribers have passwords set, and others + # do not (e.g. mixed IPoE and PPPoE). + # +# expect_password = no } # diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 10246048395..b19e616a80f 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -104,6 +104,7 @@ static conf_parser_t user_config[] = { { FR_CONF_OFFSET("access_positive", rlm_ldap_t, user.access_positive), .dflt = "yes" }, { FR_CONF_OFFSET("access_value_negate", rlm_ldap_t, user.access_value_negate), .dflt = "false" }, { FR_CONF_OFFSET("access_value_suspend", rlm_ldap_t, user.access_value_suspend), .dflt = "suspended" }, + { FR_CONF_OFFSET_IS_SET("expect_password", FR_TYPE_BOOL, 0, rlm_ldap_t, user.expect_password) }, CONF_PARSER_TERMINATOR }; @@ -1655,7 +1656,7 @@ static unlang_action_t mod_authorize_resume(rlm_rcode_t *p_result, UNUSED int *p if (fr_ldap_map_do(request, inst->valuepair_attr, &autz_ctx->expanded, autz_ctx->entry) > 0) rcode = RLM_MODULE_UPDATED; REXDENT(); - rlm_ldap_check_reply(request, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk); + rlm_ldap_check_reply(request, inst, autz_ctx->dlinst->name, call_env->expect_password->vb_bool, autz_ctx->ttrunk); } FALL_THROUGH; diff --git a/src/modules/rlm_ldap/rlm_ldap.h b/src/modules/rlm_ldap/rlm_ldap.h index 22cddf3c591..afdbfe5ad7c 100644 --- a/src/modules/rlm_ldap/rlm_ldap.h +++ b/src/modules/rlm_ldap/rlm_ldap.h @@ -50,6 +50,9 @@ typedef struct { char const *access_value_suspend; //!< Value that indicates suspension. Is not affected by ///< access_positive and will always allow access, but will apply ///< a different profile. + bool expect_password; //!< Allow the user to forcefully decide if a password should be + ///< expected. Controls whether warnings are issued. + bool expect_password_is_set; //!< Whether an expect password value was provided. } user; /* @@ -258,7 +261,7 @@ unlang_action_t rlm_ldap_find_user_async(TALLOC_CTX *ctx, rlm_ldap_t const *inst ldap_access_state_t rlm_ldap_check_access(rlm_ldap_t const *inst, request_t *request, LDAPMessage *entry); -void rlm_ldap_check_reply(request_t *request, char const *inst_name, bool expect_password, fr_ldap_thread_trunk_t const *ttrunk); +void rlm_ldap_check_reply(request_t *request, rlm_ldap_t *inst, char const *inst_name, bool expect_password, fr_ldap_thread_trunk_t const *ttrunk); /* * groups.c - Group membership functions. diff --git a/src/modules/rlm_ldap/user.c b/src/modules/rlm_ldap/user.c index 9b04d80636f..2be5316bd85 100644 --- a/src/modules/rlm_ldap/user.c +++ b/src/modules/rlm_ldap/user.c @@ -254,7 +254,7 @@ void rlm_ldap_check_reply(request_t *request, rlm_ldap_t const *inst, char const * Expect_password is set when we process the mapping, and is only true if there was a mapping between * an LDAP attribute and a password reference attribute in the control list. */ - if (!expect_password || !RDEBUG_ENABLED2) return; + if ((inst->user.expect_password_is_set && !inst->user.expect_password) || !expect_password || !RDEBUG_ENABLED2) return; parent = fr_pair_find_by_da_nested(&request->control_pairs, NULL, attr_password); if (!parent) parent = request->control_ctx;