"Alan DeKok" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Markus Moeller wrote:
That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value and therefore
can not authenticate.
The LDAP module setting Auth-Type to LDAP is a bit of a hack. I
understand that you're depending on it, but the behavior may change in
the future. It's changed (slightly) in the past, to fix some issues.
It's better to have the policy *explicitly* state what you want.
I have changed my setup to use files and a users file together with a
"private" radius attribute mapped to an ldap entry
That's reasonable. It's a pretty simple fix to permit an empty
ldap.attrmap definition.
in users I have
DEFAULT user-location == "LDN", Auth-Type := Reject
Reply-message = "You are not allowed to login"
DEFAULT AUTH-Type := PAM
That should mostly work. In 2.0, it's much easier just to put that
directly in a policy in a configuration file.
Unfortunatly that does not work as I never hit the first default
statement in users despite having a user-location of LDN. What do I do
wrong here ? How can I use an ldap query result to deny/allow access ?
if ("%{ldap: stuff... }" == "bar") {
...
}
I didn't know that is possible. Where is this documented ? I thought I read
all FAQ and documentations.
The other questions I have is about the AV pairs used. As far as I
understand freeradius uses request, reply, check_tmp, internal only AV
pairs. Is there a document which module uses which for what purpose ?
Is there a process flow diagram somewhere describing how freeradius works ?
I understand
1)client -> server sends a request AV pair
2) server processes first authorisation modules and if fails end ?
3) server processes authentication modules and if fails end ?
4) server -> client sends reply AV pair
What is the use of check(item) AV pairs ? Is it to communicate between
modules ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you
Markus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html