Markus Moeller wrote:
That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate.
The LDAP module setting Auth-Type to LDAP is a bit of a hack. I understand that you're depending on it, but the behavior may change in the future. It's changed (slightly) in the past, to fix some issues. It's better to have the policy *explicitly* state what you want.
I have changed my setup to use files and a users file together with a "private" radius attribute mapped to an ldap entry
That's reasonable. It's a pretty simple fix to permit an empty ldap.attrmap definition.
in users I have DEFAULT user-location == "LDN", Auth-Type := Reject Reply-message = "You are not allowed to login" DEFAULT AUTH-Type := PAM
That should mostly work. In 2.0, it's much easier just to put that directly in a policy in a configuration file.
Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ?
if ("%{ldap: stuff... }" == "bar") { ... } Alan DeKok.