Markus Moeller wrote: > That was the only way I could get it to work. If I use update control > anybody can login, whereas in my setup only a user who exits in ldap get > AUth-Type set to LDAP all other users have an empty value and therefore > can not authenticate.
The LDAP module setting Auth-Type to LDAP is a bit of a hack. I understand that you're depending on it, but the behavior may change in the future. It's changed (slightly) in the past, to fix some issues. It's better to have the policy *explicitly* state what you want. > I have changed my setup to use files and a users file together with a > "private" radius attribute mapped to an ldap entry That's reasonable. It's a pretty simple fix to permit an empty ldap.attrmap definition. > in users I have > DEFAULT user-location == "LDN", Auth-Type := Reject > Reply-message = "You are not allowed to login" > DEFAULT AUTH-Type := PAM That should mostly work. In 2.0, it's much easier just to put that directly in a policy in a configuration file. > Unfortunatly that does not work as I never hit the first default > statement in users despite having a user-location of LDN. What do I do > wrong here ? How can I use an ldap query result to deny/allow access ? if ("%{ldap: stuff... }" == "bar") { ... } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html