Port patch from branch_1_1 to the HEAD

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 9cda00d..8c588c6 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -782,6 +782,18 @@ $INCLUDE ${confdir}/eap.conf
                # compare_check_items = yes
                # do_xlat = yes
                # access_attr_used_for_allow = yes
+
+               #
+               #  By default, if the packet contains a User-Password,
+               #  and no other module is configured to handle the
+               #  authentication, the LDAP module sets itself to do
+               #  LDAP bind for authentication.
+               #
+               #  You can disable this behavior by setting the following
+               #  configuration entry to "no".
+               #
+               #  allowed values: {no, yes}
+               # set_auth_type = yes
        }
 
        # passwd module allows to do authorization via any passwd-like

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 30b3134..a211943 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -277,7 +277,8 @@ VALUE       Auth-Type                       Accept                  254
 
 VALUE  Auth-Type                       PAP                     1024
 VALUE  Auth-Type                       CHAP                    1025
-VALUE  Auth-Type                       LDAP                    1026
+# 1026 was LDAP, but we deleted it.  Adding it back will break the
+# ldap module.
 VALUE  Auth-Type                       PAM                     1027
 VALUE  Auth-Type                       MS-CHAP                 1028
 VALUE  Auth-Type                       Kerberos                1029

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 0fbdd61..eda5414 100644 (file)
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -168,8 +168,9 @@ typedef struct {
        char            *tls_randfile;
        char            *tls_require_cert;
 #ifdef NOVELL
-       int                     edir_account_policy_check;
+       int              edir_account_policy_check;
 #endif
+       int              set_auth_type;
 }  ldap_instance;
 
 /* The default setting for TLS Certificate Verification */
@@ -307,6 +308,7 @@ static const CONF_PARSER module_config[] = {
         offsetof(ldap_instance,edir_account_policy_check), NULL, "yes"},
 #endif
 
+       {"set_auth_type", PW_TYPE_BOOLEAN, offsetof(ldap_instance,set_auth_type), NULL, "yes"},
        {NULL, -1, 0, NULL, NULL}
 };
 
@@ -449,6 +451,19 @@ ldap_instantiate(CONF_SECTION * conf, void **instance)
        DEBUG("rlm_ldap: Registering ldap_xlat with xlat_name %s",xlat_name);
        xlat_register(xlat_name,ldap_xlat,inst);
 
+       /*
+        *      Over-ride set_auth_type if there's no Auth-Type of our name.
+        *      This automagically catches the case where LDAP is listed
+        *      in "authorize", but not "authenticate".
+        */
+       if (inst->set_auth_type) {
+               DICT_VALUE *dv = dict_valbyname(PW_AUTH_TYPE, xlat_name);
+               if (!dv) {
+                       DEBUG2("rlm_ldap: Over-riding set_auth_type, as we're not listed in the \"authenticate\" section.");
+                       inst->set_auth_type = 0;
+               }
+       } /* else no need to look up the value */
+
 #ifdef NOVELL
        /*
         *      (LDAP_Instance, V1) attribute-value pair in the config
@@ -1650,13 +1665,15 @@ static int ldap_authorize(void *instance, REQUEST * request)
 
        /*
         * Module should default to LDAP authentication if no Auth-Type
-        * specified
+        * specified.  Note that we do this ONLY if configured, AND we
+        * set the Auth-Type to our module name, which allows multiple
+        * ldap instances to work.
         */
-       if ((pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
+       if (inst->set_auth_type &&
+           (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
            request->password &&
            (request->password->attribute == PW_USER_PASSWORD))
-               pairadd(check_pairs, pairmake("Auth-Type", "LDAP", T_OP_EQ));
-
+               pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ));
 
        DEBUG("rlm_ldap: user %s authorized to use remote access",
              request->username->vp_strvalue);