From: Arran Cudbard-Bell Date: Wed, 6 Sep 2023 05:28:39 +0000 (-0600) Subject: ldap: Accept profile in either URI form or DN form X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e52b21946b251aae9f20d9617f0fa422a534fd83;p=thirdparty%2Ffreeradius-server.git ldap: Accept profile in either URI form or DN form --- diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 351dfb2da10..9f741a3a6fa 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -964,6 +964,7 @@ static xlat_action_t ldap_profile_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor LDAPURLDesc *ldap_url; int ldap_url_ret; + char const *dn; char const *filter; int scope; @@ -982,63 +983,67 @@ static xlat_action_t ldap_profile_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor return XLAT_ACTION_FAIL; } + /* + * Allocate a resumption context to store temporary resource and results + */ + MEM(xlat_ctx = talloc_zero(unlang_interpret_frame_talloc_ctx(request), ldap_xlat_profile_ctx_t)); + talloc_set_destructor(xlat_ctx, ldap_xlat_profile_ctx_free); + if (!ldap_is_ldap_url(uri->vb_strvalue)) { - REDEBUG("String passed does not look like an LDAP URL"); - return XLAT_ACTION_FAIL; - } + host_url = handle_config->server; + dn = talloc_typed_strdup_buffer(xlat_ctx, uri->vb_strvalue); + filter = env_data->profile_filter.vb_strvalue; + scope = inst->profile_scope; + } else { + ldap_url_ret = ldap_url_parse(uri->vb_strvalue, &ldap_url); + if (ldap_url_ret != LDAP_URL_SUCCESS){ + RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret)); + error: + talloc_free(xlat_ctx); + ldap_free_urldesc(ldap_url); + return XLAT_ACTION_FAIL; + } - ldap_url_ret = ldap_url_parse(uri->vb_strvalue, &ldap_url); - if (ldap_url_ret != LDAP_URL_SUCCESS){ - RPEDEBUG("Parsing LDAP URL failed - %s", fr_ldap_url_err_to_str(ldap_url_ret)); - error: - talloc_free(xlat_ctx); - ldap_free_urldesc(ldap_url); - return XLAT_ACTION_FAIL; - } + /* + * The URL must specify a DN + */ + if (!ldap_url->lud_dn) { + REDEBUG("LDAP URI must specify a profile DN"); + goto error; + } - /* - * The URL must specify a DN - */ - if (!ldap_url->lud_dn) { - REDEBUG("LDAP URI must specify a profile DN"); - goto error; - } + dn = ldap_url->lud_dn; + /* + * Either we use the filter from the URL or we use the default filter + * configured for profiles. + */ + filter = ldap_url->lud_filter ? ldap_url->lud_filter : env_data->profile_filter.vb_strvalue; - /* - * Either we use the filter from the URL or we use the default filter - * configured for profiles. - */ - filter = ldap_url->lud_filter ? ldap_url->lud_filter : env_data->profile_filter.vb_strvalue; + /* + * Determine if the URL includes a scope. + */ + scope = ldap_url->lud_scope == LDAP_SCOPE_DEFAULT ? inst->profile_scope : ldap_url->lud_scope; - /* - * Determine if the URL includes a scope. - */ - scope = ldap_url->lud_scope == LDAP_SCOPE_DEFAULT ? inst->profile_scope : ldap_url->lud_scope; + /* + * Bind liftime of URL data to xlat_ctx + */ + xlat_ctx->url = ldap_url; - /* - * Allocate a resumption context to store temporary resource and results - */ - MEM(xlat_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), ldap_xlat_profile_ctx_t)); - *xlat_ctx = (ldap_xlat_profile_ctx_t){ - .url = ldap_url - }; - talloc_set_destructor(xlat_ctx, ldap_xlat_profile_ctx_free); + /* + * If the URL is :/// the parsed host will be NULL - use config default + */ + if (!ldap_url->lud_host) { + host_url = handle_config->server; + } else { + host_url = host_uri_canonify(request, ldap_url, uri); + if (unlikely(host_url == NULL)) goto error; + } + } /* * Synchronous expansion of maps (fixme!) */ if (fr_ldap_map_expand(xlat_ctx, &xlat_ctx->expanded, request, &inst->user_map) < 0) goto error; - - /* - * If the URL is :/// the parsed host will be NULL - use config default - */ - if (!ldap_url->lud_host) { - host_url = handle_config->server; - } else { - host_url = host_uri_canonify(request, ldap_url, uri); - if (unlikely(host_url == NULL)) goto error; - } - ttrunk = fr_thread_ldap_trunk_get(t, host_url, handle_config->admin_identity, handle_config->admin_password, request, handle_config); if (host) ldap_memfree(host); @@ -1052,7 +1057,7 @@ static xlat_action_t ldap_profile_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor /* * Pushes a frame onto the stack to retrieve and evaluate a profile */ - if (rlm_ldap_map_profile(&xlat_ctx->ret, inst, request, ttrunk, ldap_url->lud_dn, scope, filter, &xlat_ctx->expanded) < 0) goto error; + if (rlm_ldap_map_profile(&xlat_ctx->ret, inst, request, ttrunk, dn, scope, filter, &xlat_ctx->expanded) < 0) goto error; return XLAT_ACTION_PUSH_UNLANG; } diff --git a/src/tests/modules/ldap/xlat_profile.attrs b/src/tests/modules/ldap/xlat_profile.attrs index 07e2c1fcb6d..f3054470fc1 100644 --- a/src/tests/modules/ldap/xlat_profile.attrs +++ b/src/tests/modules/ldap/xlat_profile.attrs @@ -12,3 +12,4 @@ NAS-IP-Address = 1.2.3.5 Packet-Type == Access-Accept Framed-IP-Netmask == 255.255.0.0 Acct-Interim-Interval == 1800 +Reply-Message == "User-Suspended" diff --git a/src/tests/modules/ldap/xlat_profile.unlang b/src/tests/modules/ldap/xlat_profile.unlang index e6b199887a2..a79cadee341 100644 --- a/src/tests/modules/ldap/xlat_profile.unlang +++ b/src/tests/modules/ldap/xlat_profile.unlang @@ -10,4 +10,8 @@ if (!((&reply.Framed-IP-Netmask == 255.255.0.0) && \ test_fail } +if (!%(ldap.profile:cn=suspended,ou=profiles,dc=example,dc=com)) { + test_fail +} + test_pass