Le Jeudi 6 Février 2003 15:40, Alan DeKok a écrit :
> > +----+-----------+-------------------+-------+------+
> >
> > | 6 | internix | No-Such-Attribute | | := |
>
> What the heck is that line for?
It's an ugly kludge done because some people here found
« counter-intuitive » that groups would either disappear (in our custom
Web interface) when there weren't any more attributes in them, or either
refuse to drop the last item. So, since they're customers, and I didn't
want to take the time to explain them the problem, I just throwed this
attribute (which doesn't seem to be sent back to the NASes, even
though scouring the code didn't learn me what purpose it really has) and
made it invisible from the interface. Now, the customer can have his
empty groups (I _know_ that's dumb) and I can have them off my shoulders
at the price of a terrible technical solution. Sad :-(
> That won't work, unfortunately. The '!=' check for Auth-Type isn't
> supported.
Ah.
> That means pass the users through 'files', and then ALSO through
> 'suffix'.
>
> The 'Fall-Through = Yes' attribute works ONLY inside of the 'users'
> file, and doesn't affect the handling of the 'authorize' section.
Not in SQL tables ? OK, I dropped it.
> What you want to do here is read 'doc/configurable_failover', which
> allows you to set up fail-over of fall-through between different
> modules in 'authorize'
All right. *It works !* This configuration seems to do what I wanted :
authorize {
redundant {
sql
notfound = 1
ok = return
}
files
suffix
}
with users containing :
DEFAULT Service-Type == Call-Check, Auth-Type := Accept
DEFAULT Proxy-To-Realm := "alien"
(all += changed to :=, per Chris' message, and to avoid the remote chance
something could supersede them).
OK, one last question (much less important) : I would want to change the
attributes sent back from the proxy server. I thus dutifully installed
CVS20030205, added a post-proxy { } section at the end of radiusd.conf,
and proceeded to add some attr_rewrite sections :
attr_rewrite ascendmaxchanns {
attribute = Ascend-Maximum-Channels
searchin = reply
searchfor = ""
replacewith = "1"
ignore_case = no
new_attribute = yes
max_matches = 1
append = no
}
attr_rewrite setcompression {
attribute = Framed-Compression
searchin = reply
searchfor = ""
replacewith = "Van-Jacobson-TCP-IP"
ignore_case = no
new_attribute = yes
max_matches = 1
append = no
}
and in the section :
post-proxy {
ascendmaxchanns
setcompression
}
They work right, but not that one :
attr_rewrite randomipaddr {
attribute = Framed-IP-Address
searchin = reply
searchfor = "255.255.255.254"
replacewith = "194.79.150.%{expr: %{NAS-Port-Id} + 195}"
ignore_case = no
new_attribute = no
max_matches = 1
append = no
}
Or rather, it works... If I set new_attribute to yes. However, I'm then
left with two conflicting Framed-IP-Address attributes. With
new_attribute set to no, it just says that :
rlm_attr_rewrite: Could not find value pair for attribute Framed-IP-Address
modcall[post-proxy]: module "randomipaddr" returns noop
Huh ? But he *should* have found that value, I'm pretty sure the
upstream RADIUS sends one back...
Anyway, thanks to everyone who helped me solve this proxy problem. Very
nice of you, people :-)
Cheers,
--
[ Jacques Caruso <[EMAIL PROTECTED]> Développeur PHP ]
[ Monaco Internet http://monaco-internet.mc/ ]
[ Tél : (+377) 93 10 00 43 Clé PGP : 0x41F5C63D ]
[ -+- Support bacteria! They're the only culture some people have. -+- ]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
