Force Auth-Type

Markus Moeller huaraz at moeller.plus.com
Fri Jan 25 21:29:26 CET 2008 

"Alan DeKok" <aland at deployingradius.com> wrote in message 
news:4798BE25.6050300 at deployingradius.com...
> Markus Moeller wrote:
>> That was the only way I could get it to work. If I use update control
>> anybody can login, whereas in my setup only a user who exits in ldap get
>> AUth-Type set to LDAP all other users have an empty value and therefore
>> can not authenticate.
>
>  The LDAP module setting Auth-Type to LDAP is a bit of a hack.  I
> understand that you're depending on it, but the behavior may change in
> the future.  It's changed (slightly) in the past, to fix some issues.
>
>  It's better to have the policy *explicitly* state what you want.
>
>> I have changed my setup to use files and a users file together with a
>> "private" radius attribute mapped to an ldap entry
>
>  That's reasonable.  It's a pretty simple fix to permit an empty
> ldap.attrmap definition.
>
>> in users I have
>> DEFAULT user-location == "LDN", Auth-Type := Reject
>>        Reply-message = "You are not allowed to login"
>> DEFAULT AUTH-Type := PAM
>
>  That should mostly work.  In 2.0, it's much easier just to put that
> directly in a policy in a configuration file.
>
>> Unfortunatly that does not work as I never hit the first default
>> statement in users despite having a user-location of LDN. What do I do
>> wrong here ? How can I use an ldap query result to deny/allow access ?
>
>  if ("%{ldap: stuff... }" == "bar") {
> ...
>  }
>

I didn't know that is possible. Where is this documented ? I thought I read 
all FAQ and documentations.

The other questions I have is about the AV pairs used. As far as I 
understand freeradius uses request, reply, check_tmp, internal only AV 
pairs. Is there a document which module uses which for what purpose ?

Is there a process flow diagram somewhere describing how freeradius works ?

I understand
1)client -> server sends a request AV pair
2) server processes first authorisation modules and if fails end ?
3) server processes authentication modules and if fails end ?
4) server -> client sends reply AV pair

What is the use of check(item) AV  pairs ? Is it to communicate between 
modules ?


>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

Thank you
Markus

More information about the Freeradius-Users mailing list