Add support for the Ldap-Group attribute in the ldap module

diff --git a/doc/rlm_ldap b/doc/rlm_ldap
index a8f32f9..6e6d734 100644 (file)
--- a/doc/rlm_ldap
+++ b/doc/rlm_ldap
@@ -162,7 +162,6 @@ which module will actually return the information (the xlat function will return
 the host,port information does not correspond to the configured attributes).
 
 USER PROFILE ATTRIBUTE:
-
 The module can use the User-Profile attribute. If it is set, it will assume that it contains
 the DN of a profile entry containing radius attributes. This entry will _replace_ the default
 profile directive. That way we can use different profiles based on checks on the radius attributes
@@ -171,6 +170,14 @@ contained in the Access-Request packets. For example (users file):
 DEFAULT        Service-Type == Outbound-User, User-Profile := "uid=outbound-dialup,dc=company,dc=com"
  
 
+GROUP SUPPORT:
+The module supports searching for ldap groups by use of the Ldap-Group attribute. As long as the module
+has been instanciated it can be used to do group membership checks through other modules. For example in
+the users file:
+
+DEFAULT        Ldap-Group == "disabled", Auth-Type := Reject
+       Reply-Message = "Sorry, you are not allowed to have dialup access"
+
 DIRECTORY COMPATIBILITY NOTE:
 If you use LDAP only for authorization and authentication (e.g. you can not
  afford schema extention), I propose to set all necessary attributes in 

diff --git a/raddb/dictionary b/raddb/dictionary
index dcc6c0f..420658f 100644 (file)
--- a/raddb/dictionary
+++ b/raddb/dictionary
@@ -191,6 +191,7 @@ ATTRIBUTE   Digest-CNonce           1070    string
 ATTRIBUTE      Digest-Nonce-Count      1071    string
 ATTRIBUTE      Digest-User-Name        1072    string
 ATTRIBUTE      Pool-Name               1073    string
+ATTRIBUTE      Ldap-Group              1074    string
 
 #
 #      Non-Protocol Attributes

diff --git a/share/dictionary b/share/dictionary
index dcc6c0f..420658f 100644 (file)
--- a/share/dictionary
+++ b/share/dictionary
@@ -191,6 +191,7 @@ ATTRIBUTE   Digest-CNonce           1070    string
 ATTRIBUTE      Digest-Nonce-Count      1071    string
 ATTRIBUTE      Digest-User-Name        1072    string
 ATTRIBUTE      Pool-Name               1073    string
+ATTRIBUTE      Ldap-Group              1074    string
 
 #
 #      Non-Protocol Attributes

diff --git a/src/include/radius.h b/src/include/radius.h
index dd887f1..45a1879 100644 (file)
--- a/src/include/radius.h
+++ b/src/include/radius.h
@@ -155,6 +155,7 @@
 #define PW_DIGEST_NONCE_COUNT          1071
 #define PW_DIGEST_USER_NAME            1072
 #define PW_POOL_NAME                   1073
+#define PW_LDAP_GROUP                  1074
 
 /*
  *     Integer Translations

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index a1eee12..0c36e89 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -54,6 +54,9 @@
  *     - Fixed a bug where the ldap server will kill the idle connections from the ldap
  *       connection pool. We now check if ldap_search returns LDAP_SERVER_DOWN and try to
  *       reconnect if it does. Bug noted by Dan Perik <dan_perik-work@ntm.org.pg>
+ * May 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
+ *     - Instead of the Group attribute we now have the Ldap-Group attribute, to avoid
+ *       collisions with other modules
  */
 static const char rcsid[] = "$Id$";
 
@@ -246,10 +249,7 @@ ldap_instantiate(CONF_SECTION * conf, void **instance)
        inst->check_item_map = NULL;
        inst->conns = NULL;
 
-       paircompare_register(PW_GROUP, PW_USER_NAME, ldap_groupcmp, inst);
-#ifdef PW_GROUP_NAME /* compat */
-       paircompare_register(PW_GROUP_NAME, PW_USER_NAME, ldap_groupcmp, inst);
-#endif
+       paircompare_register(PW_LDAP_GROUP, PW_USER_NAME, ldap_groupcmp, inst);
        DEBUG("conns: %p",inst->conns);
 
        xlat_name = cf_section_name2(conf);
@@ -504,7 +504,7 @@ retry:
 
 
 /*
- * ldap_groupcmp(). Implement the Group == "group" filter
+ * ldap_groupcmp(). Implement the Ldap-Group == "group" filter
  */
 
 static int ldap_groupcmp(void *instance, REQUEST *req, VALUE_PAIR *request, VALUE_PAIR *check,
@@ -1321,10 +1321,7 @@ ldap_detach(void *instance)
                pair = nextpair;
        }
 
-       paircompare_unregister(PW_GROUP, ldap_groupcmp);
-#ifdef PW_GROUP_NAME
-       paircompare_unregister(PW_GROUP_NAME, ldap_groupcmp);
-#endif
+       paircompare_unregister(PW_LDAP_GROUP, ldap_groupcmp);
        xlat_unregister(inst->xlat_name,ldap_xlat);
        free(inst->xlat_name);