optimize questions for unlang code
lists at kokelnet.de
Tue Apr 10 11:02:01 CEST 2012
Am 06.04.2012 18:16, schrieb Brian Julin:
>> Tobias Hachmer wrote:
>> Q3: Is there a smarter way to reject an AD user immediately when he
>> wants to logon to a telnet device?
> You could use Auth-Type subsections, but with LDAP the control flow
> can be a bit confusing (the statements in the block outside those
> sections all run, and then the block gets run again from the top once
> Auth-Type is selected, which happens inside of the ldap module.)
> best bet for this scenario is to look at the "as of 2.0" instructions
> clients.conf, where you can select a virtual server to enter based on
> which clients are requesting, and construct a separate virtual server
> for telnet devices.
Wow, thank you Brian for your good answer. I know virtual servers and I
don't knwo why this idea didn't come to me, maybe a mental block.
I have implemented this immediately and looks fine know. Thanks again!
>> Q4: Are there any tweaking capabilities to my unlang code to make it
>> smarter or more hardened?
>> Q5: Can I abbreviate any code snippets like using a switch/case
>> or use variables or anything I don't know?
> When using Ldap-Group as a check item, you have to be careful,
> it is a special case. You are not really comparing the value after
> the '=='
> to a variable, rather each time an LDAP group query is launched
> for the value after the '=='. This is the way LDAP groups work --
> you do
> not query a list of groups, you query them one-by-one. Note that
> Ldap-Group in the "users" file is also inefficient. I use a nested
> if statement
> to short-circuit, and sort by prevalence, but I do not have quite as
> cases as you.
OK, so this means I cannot use a switch/ case block because fr have to
know all the ldap groups a user is in itself?
I try to nest my code a bit better like you have mentioned, Brian.
More information about the Freeradius-Users