http://bugzilla.novell.com/show_bug.cgi?id=508093
User nice@titanic.nyme.hu added comment
http://bugzilla.novell.com/show_bug.cgi?id=508093#c9
Tamás Németh changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
Info Provider|nice@titanic.nyme.hu |
--- Comment #9 from Tamás Németh 2009-08-04 05:05:44 MDT ---
Dear Petr!
Finally, I was able to commit the comparation of three different versions of
freeradius-server: 2.1.1-6.21 (the one from
http://download.opensuse.org/repositories/network:/aaa/openSUSE_10.3),
2.1.1-7.3 (your patched version) and 2.1.6-1.0 (my compilation).
At first, I must emphasize that the problem, found by me is not exaclty the
same as in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526175 . i wanted
to evaluate a compound condition consisting of only two conditions:
if ( "%{control:Tmp-String-0}" ==
"%{ldap:ldap:///ou=People,ou=sopron,o=nyme,dc=hu?cn?sub?(&(cn=%{control:Tmp-String-0})(radiusCallingStationId=*))}"
&& "%{control:Tmp-String-0}" !=
"%{ldap:ldap:///ou=People,ou=sopron,o=nyme,dc=hu?cn?sub?(&(cn=%{control:Tmp-String-0})(radiusCallingStationId=%{request:Calling-Station-Id}))}"
) {
update control {
Auth-Type := Reject
}
}
It means that if freeradius finds the user in the LDAP database and the user's
LDAP entry has radiusCallingStationId attribute(s) _BUT_ none of his/her
radiusCallingStationId values equals to the MAC address of the calling machine,
the the authentication request must be rejected unconditionally. It means that
if there is an LDAP entry describing the user but without any
radiusCallingStationId entry then the authentication request must no be
rejected at this point. However if this is the case, then 2.1.1-6.21 correctly
evaluates the first condition as FALSE, but then it evaluates the whole
expression as TRUE which is bad interpretation since it's an AND operator.
In this case your version unfortunately behaves as bad as 2.1.1-6.21, however,
2.1.6 is able to evaluate the expression. Some more patches might be
necessary:(
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.