On Tue, Sep 16, 2008 at 2:23 PM, <tnt@kalik.net> wrote:
1. For determining session expiry, i can see the Reply-Message for session timeout from rlm_expiration module. But for determining locked users, i think rlm_unix doesnt pass RLM_MODULE_USERLOCK as part of Reply-Message.
No. But have a look at "man unlang" and module return codes. You can use unlang to set Reply-Message in such cases.
[Pavan] Thanks, I will try this.
2. For determining if user named xyz has typed wrong passwd and his privilage level, , i will keep /etc/raddb/users entry as
xyz Auth-Type := Reject , User-password =~ "*" Reply-Message = "Invalid passwd for xyz(level 2)."
I am not quite sure what you mean. Does your user have multiple entries where privilege level is determined by password? Like:
xyz User-Password 1 Priv-Level 1
xyz User-Password 2 Priv-Level 2
You will not be able to determine which (level) password he wanted to use if he misses. You can remove password attribute from check line and level from the reply entry.
[Pavan] I am sorry for the confsion. I will rewrite my query : My intention here was to determine user privilage who has entered a wrong password. I need this privilage level for the user so that i can take appropriate action to lock user at NAS level. /ets/raddb/users have first entry for each user with correct passwd, followed by wrong passwd(kept it as regular expression *) xyz Auth-Type := Local , User-password = "xyz" Reply-Message = "successfull level(2)." xyz Auth-Type := Reject , User-password =~ "*" Reply-Message = "Invalid passwd for xyz(level 2)."
I can parse Reply-Message to determine the privilage. Is this the right way to determine the user privilage?
3. For determining if the user is a valid radius user, i will keep this entry at the end in the /etc/raddb/users :
DEFAULT Auth-Type := Reject Reply-Message = "Invalid user"
That's fine.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks so much. Pavan