int rlm_ldap_map_verify(ldap_instance_t *inst, value_pair_map_t **head) { value_pair_map_t *map; if (radius_attrmap(cf_section_sub_find(inst->cs, "update"), head, PAIR_LIST_REPLY, PAIR_LIST_REQUEST, LDAP_MAX_ATTRMAP) < 0) { return -1; } /* * Attrmap only performs some basic validation checks, we need * to do rlm_ldap specific checks here. */ for (map = *head; map != NULL; map = map->next) { switch (map->dst->type) { case VPT_TYPE_LIST: if (map->op != T_OP_ADD) { cf_log_err(map->ci, "Only '+=' operator is permitted for valuepair to list mapping"); return -1; } case VPT_TYPE_ATTR: break; default: cf_log_err(map->ci, "valuepair destination must be an attribute or list"); return -1; } switch (map->src->type) { case VPT_TYPE_LIST: cf_log_err(map->ci, "LDAP attribute name cannot be derived from a list"); return -1; default: break; } /* * Be smart about whether we warn the user about missing passwords. * If there are no password attributes in the mapping, then the user's either an idiot * and has no idea what they're doing, or they're authenticating the user using a different * method. */ if (!inst->expect_password && map->dst->vpt_da && (map->dst->type == VPT_TYPE_ATTR)) { switch (map->dst->vpt_da->attr) { case PW_CLEARTEXT_PASSWORD: case PW_NT_PASSWORD: case PW_USER_PASSWORD: case PW_PASSWORD_WITH_HEADER: case PW_CRYPT_PASSWORD: /* * Because you just know someone is going to map NT-Password to the * request list, and then complain it's not working... */ if (map->dst->vpt_list != PAIR_LIST_CONTROL) { LDAP_DBGW("Mapping LDAP (%s) attribute to \"known good\" password attribute " "(%s) in %s list. This is probably *NOT* the correct list, " "you should prepend \"control:\" to password attribute " "(control:%s)", map->src->name, map->dst->vpt_da->name, fr_int2str(pair_lists, map->dst->vpt_list, "<invalid>"), map->dst->vpt_da->name); } inst->expect_password = true; default: break; } } switch (map->src->type) { /* * Only =, :=, += and -= operators are supported for * cache entries. */ case VPT_TYPE_LITERAL: case VPT_TYPE_XLAT: case VPT_TYPE_ATTR: switch (map->op) { case T_OP_SET: case T_OP_EQ: case T_OP_SUB: case T_OP_ADD: break; default: cf_log_err(map->ci, "Operator \"%s\" not allowed for %s values", fr_int2str(fr_tokens, map->op, "<INVALID>"), fr_int2str(vpt_types, map->src->type, "<INVALID>")); return -1; } default: break; } } return 0; }
int rlm_ldap_map_verify(vp_map_t *map, void *instance) { rlm_ldap_t *inst = instance; /* * Destinations where we can put the VALUE_PAIRs we * create using LDAP values. */ switch (map->lhs->type) { case TMPL_TYPE_LIST: case TMPL_TYPE_ATTR: break; case TMPL_TYPE_ATTR_UNDEFINED: cf_log_err(map->ci, "Unknown attribute %s", map->lhs->tmpl_unknown_name); return -1; default: cf_log_err(map->ci, "Left hand side of map must be an attribute or list, not a %s", fr_int2str(tmpl_names, map->lhs->type, "<INVALID>")); return -1; } /* * Sources we can use to get the name of the attribute * we're retrieving from LDAP. */ switch (map->rhs->type) { case TMPL_TYPE_XLAT: case TMPL_TYPE_ATTR: case TMPL_TYPE_EXEC: case TMPL_TYPE_LITERAL: break; case TMPL_TYPE_ATTR_UNDEFINED: cf_log_err(map->ci, "Unknown attribute %s", map->rhs->tmpl_unknown_name); return -1; default: cf_log_err(map->ci, "Right hand side of map must be an xlat, attribute, exec, or literal, not a %s", fr_int2str(tmpl_names, map->rhs->type, "<INVALID>")); return -1; } /* * Only =, :=, += and -= operators are supported for LDAP mappings. */ switch (map->op) { case T_OP_SET: case T_OP_EQ: case T_OP_SUB: case T_OP_ADD: break; default: cf_log_err(map->ci, "Operator \"%s\" not allowed for LDAP mappings", fr_int2str(fr_tokens, map->op, "<INVALID>")); return -1; } /* * Be smart about whether we warn the user about missing passwords. * If there are no password attributes in the mapping, then the user's either an idiot * and has no idea what they're doing, or they're authenticating the user using a different * method. */ if (!inst->expect_password && (map->lhs->type == TMPL_TYPE_ATTR) && map->lhs->tmpl_da) { switch (map->lhs->tmpl_da->attr) { case PW_CLEARTEXT_PASSWORD: case PW_NT_PASSWORD: case PW_USER_PASSWORD: case PW_PASSWORD_WITH_HEADER: case PW_CRYPT_PASSWORD: /* * Because you just know someone is going to map NT-Password to the * request list, and then complain it's not working... */ if (map->lhs->tmpl_list != PAIR_LIST_CONTROL) { LDAP_DBGW("Mapping LDAP (%s) attribute to \"known good\" password attribute " "(%s) in %s list. This is probably *NOT* the correct list, " "you should prepend \"control:\" to password attribute " "(control:%s)", map->rhs->name, map->lhs->tmpl_da->name, fr_int2str(pair_lists, map->lhs->tmpl_list, "<invalid>"), map->lhs->tmpl_da->name); } inst->expect_password = true; default: break; } } return 0; }