Re: Force Auth-Type

Fri, 25 Jan 2008 12:32:37 -0800
"Alan DeKok" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] 
Markus Moeller wrote:

That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value and therefore
can not authenticate.


 The LDAP module setting Auth-Type to LDAP is a bit of a hack.  I
understand that you're depending on it, but the behavior may change in
the future.  It's changed (slightly) in the past, to fix some issues.

 It's better to have the policy *explicitly* state what you want.


I have changed my setup to use files and a users file together with a
"private" radius attribute mapped to an ldap entry


 That's reasonable.  It's a pretty simple fix to permit an empty
ldap.attrmap definition.


in users I have
DEFAULT user-location == "LDN", Auth-Type := Reject
       Reply-message = "You are not allowed to login"
DEFAULT AUTH-Type := PAM


 That should mostly work.  In 2.0, it's much easier just to put that
directly in a policy in a configuration file.


Unfortunatly that does not work as I never hit the first default
statement in users despite having a user-location of LDN. What do I do
wrong here ? How can I use an ldap query result to deny/allow access ?


 if ("%{ldap: stuff... }" == "bar") {
...
 }




I didn't know that is possible. Where is this documented ? I thought I read 
all FAQ and documentations.



The other questions I have is about the AV pairs used. As far as I 
understand freeradius uses request, reply, check_tmp, internal only AV 
pairs. Is there a document which module uses which for what purpose ?


Is there a process flow diagram somewhere describing how freeradius works ?

I understand
1)client -> server sends a request AV pair
2) server processes first authorisation modules and if fails end ?
3) server processes authentication modules and if fails end ?
4) server -> client sends reply AV pair


What is the use of check(item) AV  pairs ? Is it to communicate between 
modules ?




 Alan DeKok.
-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




Thank you

Markus 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to