#
access_group = "cn=RemoteUsers,o=My Org,c=UA"
+# access_attr_used_for_allow: Define if the access attribute (described below) will be
+# used to allow access (meaning if it exists then user remote access will be allowed)
+# or to deny access.
+# default: yes - used to allow access
+
# access_attr: if attribute is specified, module checks for its existance
-# in user object. If it exists the user is allowed to get remote access.
-# If it exists and is set to FALSE the user is denied remote access.
+# in user object.
+# If access_attr_used_for_allow is set to yes:
+# If it exists the user is allowed to get remote access.
+# If it exists and is set to FALSE the user is denied remote access.
+# If it does not exist user is denied remote access by default
+# if access_attr_used_for_allow is set to no:
+# If it exists the user is denied remote access.
+# If it does not exist user is allowed remote access.
# default: NULL - don't check for the attribute
access_attr = "dialupAccess"
* June 2002, Kostas Kalevras <kkalev@noc.ntua.gr>
* - Add the ability to do a paircmp on the check items. Add a compare_check_items boolean
* configuration directive which defaults to no. If it is set then we will do a compare
+ * - Add another configuration directive. access_attr_used_for_allow. If it is set to yes
+ * then the access_attr will be used to allow user access. If it is set to no then it will
+ * be used to deny user access.
*/
static const char rcsid[] = "$Id$";
int cache_timeout;
int cache_size;
int do_comp;
+ int default_allow;
char *login;
char *password;
char *filter;
{"ldap_debug", PW_TYPE_INTEGER, offsetof(ldap_instance,ldap_debug), NULL, "0x0000"},
{"ldap_connections_number", PW_TYPE_INTEGER, offsetof(ldap_instance,num_conns), NULL, "5"},
{"compare_check_items", PW_TYPE_BOOLEAN, offsetof(ldap_instance,do_comp), NULL, "no"},
+ {"access_attr_used_for_allow", PW_TYPE_BOOLEAN, offsetof(ldap_instance,default_allow), NULL, "yes"},
{NULL, -1, 0, NULL, NULL}
};
/* Remote access is controled by attribute of the user object */
if (inst->access_attr) {
if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) {
- DEBUG("rlm_ldap: checking if remote access for %s is allowed by %s", request->username->strvalue, inst->access_attr);
- if (!strncmp(vals[0], "FALSE", 5)) {
- DEBUG("rlm_ldap: dialup access disabled");
+ if (inst->default_allow){
+ DEBUG("rlm_ldap: checking if remote access for %s is allowed by %s", request->username->strvalue, inst->access_attr);
+ if (!strncmp(vals[0], "FALSE", 5)) {
+ DEBUG("rlm_ldap: dialup access disabled");
+ snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
+ module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
+ pairadd(&request->packet->vps, module_fmsg_vp);
+ ldap_msgfree(result);
+ ldap_value_free(vals);
+ ldap_release_conn(conn_id,inst->conns);
+ return RLM_MODULE_USERLOCK;
+ }
+ ldap_value_free(vals);
+ }
+ else{
+ DEBUG("rlm_ldap: %s attribute exists - access denied by default", inst->access_attr);
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
ldap_release_conn(conn_id,inst->conns);
return RLM_MODULE_USERLOCK;
}
- ldap_value_free(vals);
} else {
- DEBUG("rlm_ldap: no %s attribute - access denied by default", inst->access_attr);
- snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
- module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
- pairadd(&request->packet->vps, module_fmsg_vp);
- ldap_msgfree(result);
- ldap_release_conn(conn_id,inst->conns);
- return RLM_MODULE_USERLOCK;
+ if (inst->default_allow){
+ DEBUG("rlm_ldap: no %s attribute - access denied by default", inst->access_attr);
+ snprintf(module_fmsg,sizeof(module_fmsg),"rlm_ldap: Access Attribute denies access");
+ module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
+ pairadd(&request->packet->vps, module_fmsg_vp);
+ ldap_msgfree(result);
+ ldap_release_conn(conn_id,inst->conns);
+ return RLM_MODULE_USERLOCK;
+ }
}
}
if (inst->cache_timeout >0)