char *tls_randfile;
char *tls_require_cert;
#ifdef NOVELL
- int edir_account_policy_check;
+ int edir_account_policy_check;
#endif
+ int set_auth_type;
} ldap_instance;
/* The default setting for TLS Certificate Verification */
offsetof(ldap_instance,edir_account_policy_check), NULL, "yes"},
#endif
+ {"set_auth_type", PW_TYPE_BOOLEAN, offsetof(ldap_instance,set_auth_type), NULL, "yes"},
{NULL, -1, 0, NULL, NULL}
};
DEBUG("rlm_ldap: Registering ldap_xlat with xlat_name %s",xlat_name);
xlat_register(xlat_name,ldap_xlat,inst);
+ /*
+ * Over-ride set_auth_type if there's no Auth-Type of our name.
+ * This automagically catches the case where LDAP is listed
+ * in "authorize", but not "authenticate".
+ */
+ if (inst->set_auth_type) {
+ DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
+ if (!dv) {
+ DEBUG2("rlm_ldap: Over-riding set_auth_type, as we're not listed in the \"authenticate\" section.");
+ inst->set_auth_type = 0;
+ }
+ } /* else no need to look up the value */
+
#ifdef NOVELL
/*
* (LDAP_Instance, V1) attribute-value pair in the config
/*
* Module should default to LDAP authentication if no Auth-Type
- * specified
+ * specified. Note that we do this ONLY if configured, AND we
+ * set the Auth-Type to our module name, which allows multiple
+ * ldap instances to work.
*/
- if ((pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
+ if (inst->set_auth_type &&
+ (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
request->password &&
(request->password->attribute == PW_USER_PASSWORD))
- pairadd(check_pairs, pairmake("Auth-Type", "LDAP", T_OP_EQ));
-
+ pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
DEBUG("rlm_ldap: user %s authorized to use remote access",
request->username->vp_strvalue);