authorization based on ldap attribute
Phil Mayers
p.mayers at imperial.ac.uk
Thu Sep 20 16:25:28 CEST 2012
On 20/09/12 13:35, Gregg Douglas wrote:
> With this reject command in the authorize section is there a method to
> supply a custom reply message?
Sure.
if (...) {
update reply {
Reply-Message = "whatever you want"
}
reject
}
This is pretty basic use. I think people should be able to find this in
the docs - do you have any suggestions where we should put (more) pointers?
>
> An observation I made with the if statement as above, if the attribute
> is not present on the user object it will evaluate false, thus allowing
> the user access.
Again, sure. You can invert the sense of the check in whatever fashion
suits you, as the OP did. You can also skip absence of the attribute e.g.
if (reply:Eduroam-Enabled !* ANY) {
# attr absent, permit
noop
}
elsif (reply:Eduroam-Enabled == "N") {
# definitely not permitted
reject
}
...and so on.
More information about the Freeradius-Users
mailing list