unlang?

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Nov 19 15:04:41 CET 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Phil Mayers wrote:
> Barry Dean wrote:
>> Back in January Alan DeKok kindly helped me out with some config I
>> needed, see below. I have only just go back to reviewing RADIUS as I
>> have been involved in loads of other projects... and now can't get this
>> working! Typical...
>>
>> On Fri, 2008-01-18 at 16:23 +0100, Alan DeKok wrote:
>>>   authorize {
>>>     ...
>>>     if ("%{User-Name}" =~ /special/i) {
>>>         update reply {
>>>             Reply-Message = "Cannot use this user account"
>>>             reject
>>>         }
>>>     }
>>>     ...
>>
>> I added this to the authorize section of my config in
>> sites-available/local-auth a file defining my policies for local users
>> on our wireless etc and got the errors:
>>
>>     "ERROR: Unknown attribute reject"
>>     "Failed to parse "update" subsection.".
>>
>> Can't fathom that as it seems perfectly OK to me having read the unlang
>> man page.
> 
> """The only contents permitted in an "update" section are attributes and
> values"""
> 

That should read attribute value pairs ... and reject in the context
that you're using it is not a value or an attribute, it's a module call.

> ...from "man unlang"
> 
> Move the reject to outside the "update" section (but inside the "if")
> 

What you're doing when you list reject, is calling an instance of the
'always' module, which returns reject as it's return code. This
percolates back up to the authorize stanza (reject has priority over
most other return codes, unless you explicitly set it to be otherwise).

authorize {
}

returns reject so server rejects the request...

- ---

I think you can achieve the same thing with:

update control {
	Auth-Type := 'reject'
}

If you were really set on using update...

In much the same way as you can do

update control {
	Auth-Type := 'accept'
}


Regards,
Arran

- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkkHPkACgkQcaklux5oVKLw4gCdEqIPOAEzY1QEcJA2JAfftxpG
g5gAmgMOTI3AtJuQVeX1bwvhNEO8PJCJ
=/pVb
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list