From 81e0a8b272c01a8df60f1a295e103c22f734fc47 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 28 Apr 2025 15:51:35 -0400
Subject: [PATCH] resolve tmpls before returning them to LDAP

---
 src/lib/ldap/map.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/lib/ldap/map.c b/src/lib/ldap/map.c
index 956b436c0f..2d94ed0d5c 100644
--- a/src/lib/ldap/map.c
+++ b/src/lib/ldap/map.c
@@ -224,13 +224,20 @@ int fr_ldap_map_verify(map_t *map, UNUSED void *instance)
 	case TMPL_TYPE_XLAT_UNRESOLVED:
 	case TMPL_TYPE_ATTR:
 	case TMPL_TYPE_EXEC:
-	case TMPL_TYPE_DATA_UNRESOLVED:
+	case TMPL_TYPE_DATA:
 		break;
 
 	case TMPL_TYPE_ATTR_UNRESOLVED:
 		cf_log_err(map->ci, "Unknown attribute %s", tmpl_attr_tail_unresolved(map->rhs));
 		return -1;
 
+	case TMPL_TYPE_DATA_UNRESOLVED:
+		if (tmpl_resolve(map->rhs, NULL) < 0) {
+			cf_log_err(map->ci, "Invalid data %s", map->rhs->name);
+			return -1;
+		}
+		break;
+
 	default:
 		cf_log_err(map->ci, "Right hand side of map must be an xlat, attribute, exec, or literal, not a %s",
 			   tmpl_type_to_str(map->rhs->type));
-- 
2.47.2