optimize questions for unlang code

Tobias Hachmer lists at kokelnet.de
Tue Apr 10 11:02:01 CEST 2012

Am 06.04.2012 18:16, schrieb Brian Julin:
>> Tobias Hachmer wrote:
>> Q3: Is there a smarter way to reject an AD user immediately when he
>> wants to logon to a telnet device?
> You could use Auth-Type subsections, but with LDAP the control flow
> can be a bit confusing (the statements in the block outside those
> sections all run, and then the block gets run again from the top once 
> an
> Auth-Type is selected, which happens inside of the ldap module.)  
> Your
> best bet for this scenario is to look at the "as of 2.0" instructions 
> in
> clients.conf, where you can select a virtual server to enter based on
> which clients are requesting, and construct a separate virtual server
> for telnet devices.

Wow, thank you Brian for your good answer. I know virtual servers and I 
don't knwo why this idea didn't come to me, maybe a mental block.
I have implemented this immediately and looks fine know. Thanks again!

>> Q4: Are there any tweaking capabilities to my unlang code to make it
>> smarter or more hardened?
>> Q5: Can I abbreviate any code snippets like using a switch/case 
>> block
>> or use variables or anything I don't know?
> When using Ldap-Group as a check item, you have to be careful, 
> because
> it is a special case.  You are not really comparing the value after 
> the '=='
> to a variable, rather each time an LDAP group query is launched 
> looking
> for the value after the '=='.  This is the way LDAP groups work -- 
> you do
> not query a list of groups, you query them one-by-one.  Note that 
> using
> Ldap-Group in the "users" file is also inefficient.  I use a nested
> if statement
> to short-circuit, and sort by prevalence, but I do not have quite as 
> many
> cases as you.

OK, so this means I cannot use a switch/ case block because fr have to 
know all the ldap groups a user is in itself?

I try to nest my code a bit better like you have mentioned, Brian.


Tobias Hachmer

More information about the Freeradius-Users mailing list