madmatrix <hailum...@gmail.com> wrote: > > Alexander, one thing I'm still confused here is why we put otp and > ldap all in authorization block in freeradius not the authentication? > As I'm an idiot. They should also be present in the authenticate section. In authorise, your OTP python method checks to see if it is a valid authentication syntax (creating a challenge if necessary) returning reject if it it invalid. It validates and rewrites User-Password to contain just the bare password, whilst you can create a custom dictionary attribute (for example User-OTP) that is sperately processed in authenticate.
So, for example: ---- authorize { ... # User-Password is 'foo bar' python-otp # User-Password is 'foo' # User-OTP is 'bar' ldap ... } authenticate { ... Auth-Type python-otp { otp ldap } ... } ---- Cheers -- Alexander Clouter .sigmonster says: Price does not include taxes. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html