remove '&' from ldap

alandekok · alandekok · commit c64c6326981b · 2025-03-06T11:39:09.000-05:00
diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/ldap.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/ldap.adoc
@@ -1,3 +1,7 @@
+
+
+
+
 = LDAP (Lightweight Directory Access Protocol) Module
 
 The `ldap` module allows LDAP directory entries to be retrieved, modified,
@@ -196,8 +200,8 @@ e.g:
 [source, unlang]
 ----
 ldap
-if ((ok || updated) && &User-Password) {
-	&control.Auth-Type := ::ldap
+if ((ok || updated) && User-Password) {
+	control.Auth-Type := ::ldap
 }
 ----
 ====
@@ -462,8 +466,8 @@ specified by 'default' or in the user or group objects.
 
 default:: The default profile. This may be a DN or an attribute reference.
 
-NOTE: To get old v2.2.x style behaviour, or to use the `&User-Profile` attribute
-to specify the default profile, set this to `&control.User-Profile`.
+NOTE: To get old v2.2.x style behaviour, or to use the `User-Profile` attribute
+to specify the default profile, set this to `control.User-Profile`.
 
 
 
@@ -500,6 +504,22 @@ or the attributes do not have an ORDERING rule, the search will fail.
 
 
 
+check_attribute:: The LDAP attribute containing conditions which
+will be evaluated to determine whether a profile should be applied.
+
+
+
+fallthrough_attribute:: The LDAP attribute containing a condition
+which will be evaluated to determine whether more profiles should
+be applied after this one.
+
+
+
+fallthrough_def:: If the attribute referenced in fallthrough_attribute
+is not in the reply, what should be the default behaviour
+
+
+
 ### Modify user object on receiving Accounting-Request
 
 Useful for recording things like the last time the user logged
@@ -792,8 +812,8 @@ in LDAP URIs and DNs, and will not be escaped or modified.
 
 [source,unlang]
 ----
-&my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
-&reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
+my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
 ----
 
 .Output
@@ -814,7 +834,7 @@ usually prohibited.
 
 [source,unlang]
 ----
-&my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
 ----
 
 ### %ldap.uri.unescape(...)
@@ -827,8 +847,8 @@ Unescape a string for use in an LDAP filter or DN.
 
 [source,unlang]
 ----
-&my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
-&reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
+my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
+reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
 ----
 
 .Output
@@ -877,29 +897,29 @@ ldap {
 	}
 #	valuepair_attribute = 'radiusAttribute'
 	update {
-		&control.Password.With-Header	+= 'userPassword'
-#		&control.Password.NT		:= 'ntPassword'
-#		&reply.Reply-Message		:= 'radiusReplyMessage'
-#		&reply.Tunnel-Type		:= 'radiusTunnelType'
-#		&reply.Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
-#		&reply.Tunnel-Private-Group-ID	:= 'radiusTunnelPrivategroupId'
-		&control			+= 'radiusControlAttribute'
-		&request			+= 'radiusRequestAttribute'
-		&reply				+= 'radiusReplyAttribute'
+		control.Password.With-Header	+= 'userPassword'
+#		control.Password.NT		:= 'ntPassword'
+#		reply.Reply-Message		:= 'radiusReplyMessage'
+#		reply.Tunnel-Type		:= 'radiusTunnelType'
+#		reply.Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
+#		reply.Tunnel-Private-Group-ID	:= 'radiusTunnelPrivategroupId'
+		control			+= 'radiusControlAttribute'
+		request			+= 'radiusRequestAttribute'
+		reply				+= 'radiusReplyAttribute'
 	}
 #	edir = no
 #	edir_autz = no
 	user {
 		base_dn = "${..base_dn}"
-		filter = "(uid=%{&Stripped-User-Name || &User-Name})"
-#		filter = "(&(objectClass=user)(sAMAccountName=%{&Stripped-User-Name || &User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
+		filter = "(uid=%{&Stripped-User-Name || User-Name})"
+#		filter = "(&(objectClass=user)(sAMAccountName=%{Stripped-User-Name || User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
 		sasl {
 #			mech = 'PLAIN'
-#			authname = &User-Name
-#			proxy = &User-Name
+#			authname = User-Name
+#			proxy = User-Name
 #			realm = 'example.org'
 		}
-#		password_attribute = &User-Password
+#		password_attribute = User-Password
 #		scope = 'sub'
 #		sort_by = '-uid'
 #		access_attribute = 'dialupAccess'
@@ -913,7 +933,7 @@ ldap {
 		filter = '(objectClass=posixGroup)'
 #		scope = 'sub'
 #		name_attribute = cn
-#		membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{&Stripped-User-Name || &User-Name}))"
+#		membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{Stripped-User-Name || User-Name}))"
 		membership_attribute = 'memberOf'
 #		cacheable_name = 'no'
 #		cacheable_dn = 'no'
@@ -929,6 +949,9 @@ ldap {
 #		attribute = 'radiusProfileDn'
 #		attribute_suspend = 'radiusProfileDn'
 #		sort_by = 'radiusProfilePriority'
+#		check_attribute = 'radiusProfileCondition'
+#		fallthrough_attribute = 'radiusProfileFallthrough'
+#		fallthrough_default = yes
 	}
 	accounting {
 		start {
diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap
@@ -191,19 +191,19 @@ ldap {
 	#  update { ... }::
 	#
 	update {
-		&control.Password.With-Header	+= 'userPassword'
-#		&control.Password.NT		:= 'ntPassword'
-#		&reply.Reply-Message		:= 'radiusReplyMessage'
-#		&reply.Tunnel-Type		:= 'radiusTunnelType'
-#		&reply.Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
-#		&reply.Tunnel-Private-Group-ID	:= 'radiusTunnelPrivategroupId'
+		control.Password.With-Header	+= 'userPassword'
+#		control.Password.NT		:= 'ntPassword'
+#		reply.Reply-Message		:= 'radiusReplyMessage'
+#		reply.Tunnel-Type		:= 'radiusTunnelType'
+#		reply.Tunnel-Medium-Type	:= 'radiusTunnelMediumType'
+#		reply.Tunnel-Private-Group-ID	:= 'radiusTunnelPrivategroupId'
 
 		#  NOTE: Where only a list is specified as the RADIUS attribute,
 		#  the value of the LDAP attribute is parsed as a valuepair
 		#  in the same format as the 'valuepair_attribute' (above).
-		&control			+= 'radiusControlAttribute'
-		&request			+= 'radiusRequestAttribute'
-		&reply				+= 'radiusReplyAttribute'
+		control			+= 'radiusControlAttribute'
+		request			+= 'radiusRequestAttribute'
+		reply				+= 'radiusReplyAttribute'
 	}
 
 	#
@@ -230,8 +230,8 @@ ldap {
 	#  [source, unlang]
 	#  ----
 	#  ldap
-	#  if ((ok || updated) && &User-Password) {
-	#  	&control.Auth-Type := ::ldap
+	#  if ((ok || updated) && User-Password) {
+	#  	control.Auth-Type := ::ldap
 	#  }
 	#  ----
 	#  ====
@@ -250,7 +250,7 @@ ldap {
 		#  filter:: Filter for user objects, should be specific enough
 		#  to identify a single user object.
 		#
-		filter = "(uid=%{&Stripped-User-Name || &User-Name})"
+		filter = "(uid=%{&Stripped-User-Name || User-Name})"
 
 		#  For Active Directory nested group, you should comment out the previous 'filter = ...'
 		#  and use the below. Where 'group' is the group you are querying for.
@@ -263,7 +263,7 @@ ldap {
 		#
 		#  See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
 		#
-#		filter = "(&(objectClass=user)(sAMAccountName=%{&Stripped-User-Name || &User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
+#		filter = "(&(objectClass=user)(sAMAccountName=%{Stripped-User-Name || User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"
 
 		#
 		#  sasl { ... }:: SASL parameters to use for user binds
@@ -285,12 +285,12 @@ ldap {
 			#  authname:: SASL authentication name.  Mechanism specific value
 			#  to use when prompted for the client authentication name.
 			#
-#			authname = &User-Name
+#			authname = User-Name
 
 			#
 			#  proxy:: SASL authorisation identity to proxy.
 			#
-#			proxy = &User-Name
+#			proxy = User-Name
 
 			#
 			#  realm:: SASL realm. Used for kerberos.
@@ -309,7 +309,7 @@ ldap {
 		#  Service, CN=Windows NT, CN=Services, CN=Configuration` object.  Modify the
 		#  `msDS-Other-Settings` attribute, and add a new entry for `DenyUnauthenticatedBind=1`.
 		#
-#		password_attribute = &User-Password
+#		password_attribute = User-Password
 
 		#
 		#  scope:: Search scope, may be `base`, `one`, `sub' or `children`.
@@ -426,7 +426,7 @@ ldap {
 		#  That is, group objects with attributes that identify
 		#  members (the inverse of `membership_attribute`).
 		#
-#		membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{&Stripped-User-Name || &User-Name}))"
+#		membership_filter = "(|(member=%{control.Ldap-UserDn})(memberUid=%{Stripped-User-Name || User-Name}))"
 
 		#
 		#  membership_attribute:: The attribute, in user objects, which contain
@@ -532,8 +532,8 @@ ldap {
 		#
 		#  default:: The default profile. This may be a DN or an attribute reference.
 		#
-		#  NOTE: To get old v2.2.x style behaviour, or to use the `&User-Profile` attribute
-		#  to specify the default profile, set this to `&control.User-Profile`.
+		#  NOTE: To get old v2.2.x style behaviour, or to use the `User-Profile` attribute
+		#  to specify the default profile, set this to `control.User-Profile`.
 		#
 #		default = 'cn=radprofile,dc=example,dc=org'
 
@@ -957,8 +957,8 @@ ldap {
 #
 #  [source,unlang]
 #  ----
-#  &my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
-#  &reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
+#  my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+#  reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"
 #  ----
 #
 #  .Output
@@ -979,7 +979,7 @@ ldap {
 #
 #  [source,unlang]
 #  ----
-#  &my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
+#  my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"
 #  ----
 #
 #  ### %ldap.uri.unescape(...)
@@ -992,8 +992,8 @@ ldap {
 #
 #  [source,unlang]
 #  ----
-#  &my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
-#  &reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
+#  my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"
+#  reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"
 #  ----
 #
 #  .Output
diff --git a/src/tests/modules/ldap/xlat_profile.unlang b/src/tests/modules/ldap/xlat_profile.unlang
@@ -85,7 +85,7 @@ reply := {}
 
 # Re-run the above with a different user name - the profile with "Guten Tag"
 # as the reply message has a condition of User-Name == bob
-&User-Name := 'john'
+User-Name := 'john'
 if (!%ldap.profile('cn=nested,ou=profiles,dc=example,dc=com')) {
 	test_fail
 }

Original file line number	Diff line number	Diff line change
`@@ -191,19 +191,19 @@ ldap {`
`191`	`191`	`# update { ... }::`
`192`	`192`	`#`
`193`	`193`	`update {`
`194`		`- &control.Password.With-Header += 'userPassword'`
`195`		`-# &control.Password.NT := 'ntPassword'`
`196`		`-# &reply.Reply-Message := 'radiusReplyMessage'`
`197`		`-# &reply.Tunnel-Type := 'radiusTunnelType'`
`198`		`-# &reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'`
`199`		`-# &reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'`
	`194`	`+ control.Password.With-Header += 'userPassword'`
	`195`	`+# control.Password.NT := 'ntPassword'`
	`196`	`+# reply.Reply-Message := 'radiusReplyMessage'`
	`197`	`+# reply.Tunnel-Type := 'radiusTunnelType'`
	`198`	`+# reply.Tunnel-Medium-Type := 'radiusTunnelMediumType'`
	`199`	`+# reply.Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'`
`200`	`200`
`201`	`201`	`# NOTE: Where only a list is specified as the RADIUS attribute,`
`202`	`202`	`# the value of the LDAP attribute is parsed as a valuepair`
`203`	`203`	`# in the same format as the 'valuepair_attribute' (above).`
`204`		`- &control += 'radiusControlAttribute'`
`205`		`- &request += 'radiusRequestAttribute'`
`206`		`- &reply += 'radiusReplyAttribute'`
	`204`	`+ control += 'radiusControlAttribute'`
	`205`	`+ request += 'radiusRequestAttribute'`
	`206`	`+ reply += 'radiusReplyAttribute'`
`207`	`207`	`}`
`208`	`208`
`209`	`209`	`#`
`@@ -230,8 +230,8 @@ ldap {`
`230`	`230`	`# [source, unlang]`
`231`	`231`	`# ----`
`232`	`232`	`# ldap`
`233`		`- # if ((ok \|\| updated) && &User-Password) {`
`234`		`- # &control.Auth-Type := ::ldap`
	`233`	`+ # if ((ok \|\| updated) && User-Password) {`
	`234`	`+ # control.Auth-Type := ::ldap`
`235`	`235`	`# }`
`236`	`236`	`# ----`
`237`	`237`	`# ====`
`@@ -250,7 +250,7 @@ ldap {`
`250`	`250`	`# filter:: Filter for user objects, should be specific enough`
`251`	`251`	`# to identify a single user object.`
`252`	`252`	`#`
`253`		`- filter = "(uid=%{&Stripped-User-Name \|\| &User-Name})"`
	`253`	`+ filter = "(uid=%{&Stripped-User-Name \|\| User-Name})"`
`254`	`254`
`255`	`255`	`# For Active Directory nested group, you should comment out the previous 'filter = ...'`
`256`	`256`	`# and use the below. Where 'group' is the group you are querying for.`
`@@ -263,7 +263,7 @@ ldap {`
`263`	`263`	`#`
`264`	`264`	`# See: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx`
`265`	`265`	`#`
`266`		`-# filter = "(&(objectClass=user)(sAMAccountName=%{&Stripped-User-Name \|\| &User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"`
	`266`	`+# filter = "(&(objectClass=user)(sAMAccountName=%{Stripped-User-Name \|\| User-Name})(memberOf:1.2.840.113556.1.4.1941:=cn=group,${..base_dn}))"`
`267`	`267`
`268`	`268`	`#`
`269`	`269`	`# sasl { ... }:: SASL parameters to use for user binds`
`@@ -285,12 +285,12 @@ ldap {`
`285`	`285`	`# authname:: SASL authentication name. Mechanism specific value`
`286`	`286`	`# to use when prompted for the client authentication name.`
`287`	`287`	`#`
`288`		`-# authname = &User-Name`
	`288`	`+# authname = User-Name`
`289`	`289`
`290`	`290`	`#`
`291`	`291`	`# proxy:: SASL authorisation identity to proxy.`
`292`	`292`	`#`
`293`		`-# proxy = &User-Name`
	`293`	`+# proxy = User-Name`
`294`	`294`
`295`	`295`	`#`
`296`	`296`	`# realm:: SASL realm. Used for kerberos.`
`@@ -309,7 +309,7 @@ ldap {`
`309`	`309`	# Service, CN=Windows NT, CN=Services, CN=Configuration` object. Modify the
`310`	`310`	# `msDS-Other-Settings` attribute, and add a new entry for `DenyUnauthenticatedBind=1`.
`311`	`311`	`#`
`312`		`-# password_attribute = &User-Password`
	`312`	`+# password_attribute = User-Password`
`313`	`313`
`314`	`314`	`#`
`315`	`315`	# scope:: Search scope, may be `base`, `one`, `sub' or `children`.
`@@ -426,7 +426,7 @@ ldap {`
`426`	`426`	`# That is, group objects with attributes that identify`
`427`	`427`	# members (the inverse of `membership_attribute`).
`428`	`428`	`#`
`429`		`-# membership_filter = "(\|(member=%{control.Ldap-UserDn})(memberUid=%{&Stripped-User-Name \|\| &User-Name}))"`
	`429`	`+# membership_filter = "(\|(member=%{control.Ldap-UserDn})(memberUid=%{Stripped-User-Name \|\| User-Name}))"`
`430`	`430`
`431`	`431`	`#`
`432`	`432`	`# membership_attribute:: The attribute, in user objects, which contain`
`@@ -532,8 +532,8 @@ ldap {`
`532`	`532`	`#`
`533`	`533`	`# default:: The default profile. This may be a DN or an attribute reference.`
`534`	`534`	`#`
`535`		- # NOTE: To get old v2.2.x style behaviour, or to use the `&User-Profile` attribute
`536`		- # to specify the default profile, set this to `&control.User-Profile`.
	`535`	+ # NOTE: To get old v2.2.x style behaviour, or to use the `User-Profile` attribute
	`536`	+ # to specify the default profile, set this to `control.User-Profile`.
`537`	`537`	`#`
`538`	`538`	`# default = 'cn=radprofile,dc=example,dc=org'`
`539`	`539`
`@@ -957,8 +957,8 @@ ldap {`
`957`	`957`	`#`
`958`	`958`	`# [source,unlang]`
`959`	`959`	`# ----`
`960`		`-# &my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"`
`961`		`-# &reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"`
	`960`	`+# my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"`
	`961`	`+# reply.Reply-Message := "The LDAP url is %ldap.uri.escape(%{my-string}}"`
`962`	`962`	`# ----`
`963`	`963`	`#`
`964`	`964`	`# .Output`
`@@ -979,7 +979,7 @@ ldap {`
`979`	`979`	`#`
`980`	`980`	`# [source,unlang]`
`981`	`981`	`# ----`
`982`		`-# &my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"`
	`982`	`+# my-int := "%ldap.profile(ldap://%ldap.uri.safe(%{LDAP-Host}):%ldap.uri.safe(%{LDAP-Port})/ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)"`
`983`	`983`	`# ----`
`984`	`984`	`#`
`985`	`985`	`# ### %ldap.uri.unescape(...)`
`@@ -992,8 +992,8 @@ ldap {`
`992`	`992`	`#`
`993`	`993`	`# [source,unlang]`
`994`	`994`	`# ----`
`995`		`-# &my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"`
`996`		`-# &reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"`
	`995`	`+# my-string := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29"`
	`996`	`+# reply.Reply-Message := "The LDAP url is %ldap.uri.unescape(%{my-string})"`
`997`	`997`	`# ----`
`998`	`998`	`#`
`999`	`999`	`# .Output`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ reply := {}`
`85`	`85`
`86`	`86`	`# Re-run the above with a different user name - the profile with "Guten Tag"`
`87`	`87`	`# as the reply message has a condition of User-Name == bob`
`88`		`-&User-Name := 'john'`
	`88`	`+User-Name := 'john'`
`89`	`89`	`if (!%ldap.profile('cn=nested,ou=profiles,dc=example,dc=com')) {`
`90`	`90`	`test_fail`
`91`	`91`	`}`