OK I think I understand it now better. And I can do everything with unlang
and ldap and no files module as I didn't find a way to use control AV pairs
in the users file.
I do now in sites-enabled/default the following:
authorize {
auth_log
ldap
if (control:User-Location != "LDN" ) {
update control {
Auth-Type := PAM
}
update reply {
Reply-Message = " Accepted "
}
}
else {
update control {
Auth-Type := Reject
}
update reply {
Reply-Message = " Rejected "
}
}
}
authenticate {
pam
}
preacct {
acct_unique
}
accounting {
detail
}
with user-location being mapped in ldap.attrmap to an ldap attribute of the
user.
Does that look OK ?
Thank you
Markus
BTW Are you intereseted in my Mozilla SDK patch for the ldap module ?
"Alan DeKok" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Markus Moeller wrote:
if ("%{ldap: stuff... }" == "bar") {
...
I didn't know that is possible. Where is this documented ? I thought I
read all FAQ and documentations.
It's not really well documented, because it's not well tested. If it
works, great. If not...
The other questions I have is about the AV pairs used. As far as I
understand freeradius uses request, reply, check_tmp, internal only AV
pairs. Is there a document which module uses which for what purpose ?
doc/aaa.txt
Is there a process flow diagram somewhere describing how freeradius works
?
Nope.
I understand
1)client -> server sends a request AV pair
2) server processes first authorisation modules and if fails end ?
3) server processes authentication modules and if fails end ?
4) server -> client sends reply AV pair
What is the use of check(item) AV pairs ? Is it to communicate between
modules ?
Among other things. It's for things associated with the request that
don't need to go into a packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
