char *tls_randfile;
char *tls_require_cert;
#ifdef NOVELL
- int edir_account_policy_check;
+ int edir_account_policy_check;
#endif
+ int set_auth_type;
} ldap_instance;
/* The default setting for TLS Certificate Verification */
offsetof(ldap_instance,edir_account_policy_check), NULL, "yes"},
#endif
+ {"set_auth_type", PW_TYPE_BOOLEAN, offsetof(ldap_instance,set_auth_type), NULL, "yes"},
{NULL, -1, 0, NULL, NULL}
};
/*
* Allocate room for <instance>-Ldap-Group
*/
- group_name = malloc((strlen(xlat_name) + 1 + 11) * sizeof(char));
- rad_assert(group_name != NULL);
+ group_name = rad_malloc((strlen(xlat_name) + 1 + 11) * sizeof(char));
sprintf(group_name,"%s-Ldap-Group",xlat_name);
DEBUG("rlm_ldap: Creating new attribute %s",group_name);
dict_addattr(group_name, 0, PW_TYPE_STRING, -1, flags);
dattr = dict_attrbyname(group_name);
if (dattr == NULL){
radlog(L_ERR, "rlm_ldap: Failed to create attribute %s",group_name);
+ free(group_name);
free(inst); /* FIXME: detach */
return -1;
}
DEBUG("rlm_ldap: Registering ldap_groupcmp for %s",group_name);
paircompare_register(dattr->attr, PW_USER_NAME, ldap_groupcmp, inst);
+ free(group_name);
}
else {
xlat_name = cf_section_name1(conf);
DEBUG("rlm_ldap: Registering ldap_xlat with xlat_name %s",xlat_name);
xlat_register(xlat_name,ldap_xlat,inst);
+ /*
+ * Over-ride set_auth_type if there's no Auth-Type of our name.
+ * This automagically catches the case where LDAP is listed
+ * in "authorize", but not "authenticate".
+ */
+ if (inst->set_auth_type) {
+ DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
+ if (!dv) {
+ DEBUG2("rlm_ldap: Over-riding set_auth_type, as we're not listed in the \"authenticate\" section.");
+ inst->set_auth_type = 0;
+ }
+ } /* else no need to look up the value */
+
#ifdef NOVELL
/*
* (LDAP_Instance, V1) attribute-value pair in the config
/*
* Module should default to LDAP authentication if no Auth-Type
- * specified
+ * specified. Note that we do this ONLY if configured, AND we
+ * set the Auth-Type to our module name, which allows multiple
+ * ldap instances to work.
*/
- if ((pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
+ if (inst->set_auth_type &&
+ (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
request->password &&
(request->password->attribute == PW_USER_PASSWORD))
- pairadd(check_pairs, pairmake("Auth-Type", "LDAP", T_OP_EQ));
-
+ pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
DEBUG("rlm_ldap: user %s authorized to use remote access",
request->username->vp_strvalue);