"Alan DeKok" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Markus Moeller wrote:
That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value and therefore
can not authenticate.

 The LDAP module setting Auth-Type to LDAP is a bit of a hack.  I
understand that you're depending on it, but the behavior may change in
the future.  It's changed (slightly) in the past, to fix some issues.

 It's better to have the policy *explicitly* state what you want.

I have changed my setup to use files and a users file together with a
"private" radius attribute mapped to an ldap entry

 That's reasonable.  It's a pretty simple fix to permit an empty
ldap.attrmap definition.

in users I have
DEFAULT user-location == "LDN", Auth-Type := Reject
       Reply-message = "You are not allowed to login"
DEFAULT AUTH-Type := PAM

 That should mostly work.  In 2.0, it's much easier just to put that
directly in a policy in a configuration file.

Unfortunatly that does not work as I never hit the first default
statement in users despite having a user-location of LDN. What do I do
wrong here ? How can I use an ldap query result to deny/allow access ?

 if ("%{ldap: stuff... }" == "bar") {
...
 }


I didn't know that is possible. Where is this documented ? I thought I read all FAQ and documentations.

The other questions I have is about the AV pairs used. As far as I understand freeradius uses request, reply, check_tmp, internal only AV pairs. Is there a document which module uses which for what purpose ?

Is there a process flow diagram somewhere describing how freeradius works ?

I understand
1)client -> server sends a request AV pair
2) server processes first authorisation modules and if fails end ?
3) server processes authentication modules and if fails end ?
4) server -> client sends reply AV pair

What is the use of check(item) AV pairs ? Is it to communicate between modules ?


 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Thank you
Markus

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to