unlang question

Enrik Berkhan enrik#freeradius at planb.de
Fri Jul 6 12:49:35 CEST 2007


Alan DeKok schrieb:
>   Please try it again.  You should not need the "always-ok" in the "if
> (ok)" block, or the "always-reject" in the "if (reject)" block.

Yes, now both examples work like "expected".

Working authorize example:

> modules {
> 
>   always always-reject {
>     rcode = reject
>   }
> 
> }
> 
> server {
> 
>   authorize {
> 
>     # reject, but continue
>     always-reject {
>       reject = 1
>     }
> 
>     if (ok) {
>       update reply {
>         Reply-Message := 'Hi, there!'
>       }
>     }
>     elsif (reject) {
>       update reply {
>         Reply-Message := "Go away, %{User-Name:-unknown}!"
>       }
>     }
> 
>   }
> 
> }

The elsif is taken always, as it should, and reject will be returned
without further action. Of course, the if can't be tested in this setup.

Working authenticate example, even if you don't like it :)

> modules {
> 
>   pap {
>     auto_header = yes
>   }
> 
>   files {
>     usersfile = ${confdir}/users
>     acctusersfile = /dev/null
>     preproxy_usersfile = /dev/null
>     compat = no
>   }
> 
> }
> 
> server {
> 
>   authorize {
>     files
>     pap
>   }
> 
>   authenticate {
>     Auth-Type PAP {
>       # pap returns either fail or noop or ok or reject
>       pap {
>         # default for ok on authenticate would be to return
>         ok = 1
>         # default for reject on authenticate would be to return
>         reject = 1
>       }
>       if (ok) {
>         update reply {
>           Reply-Message := "pap authenticate returned OK"
>         }
>       }
>       elsif (reject) {
>         update reply {
>           Reply-Message := "pap authenticate returned REJECT"
>         }
>       }
>     }
>   }

Here, the if is taken if user/password is correct and ok will be
propagated by the if block. The elsif is taken if the user is authorized
but uses a wrong password and reject will be propagated by the elsif
block. The reply is updated in both cases as expected.

Thanks for the fix!

Enrik



More information about the Freeradius-Devel mailing list