Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by the request - correct?
I think so
2.) in the users-file, if an entry matches all check-attributes, I can specify an Auth/Autz-Type - correct?
yes
3.) in the users-file, if I do not specify the Auth/Autz-Type the radius is taken the requested Type automatically - correct?
Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set Auth-Type based on the incoming requests e.g. the "mschap" modules sets Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the "chap" and "eap" modules. "pap" is a bit more complex and has changed in CVS head. Generally, you should not set Auth-Type in the users file. It's a sign you're doing something wrong. Perhaps if you told us what you're trying to do?
4.) Authentication is comparing a password - correct?
Not necessarily. If it's a PAP request, it's possible to check the plaintext password in the request by straight comparison, hashes comparison, or callout to another system (LDAP, PAM) Other authentication mechanisms may perform cryptographic operations on passwords at the server and challenges from the NAS to generate the servers idea of the correct response and compare it to the client-supplied response (chap, mschap). Others still may reply to the NAS with a server-generated challenge (EAP).
5.) Authorization is even if a password is correct, the user may not use/do something - correct?
No. That's the common meaning. The "authorize" section in FreeRadius is something else. Please read doc/aaa.txt
6.) Authorization is done by providing appropriate reply-attributes - correct?
If you mean "user is OK, can/can't do something"-type "authorization", then yes some NASes can do that based on attributes in the radius reply.
Now the big question: If I have an user who is authenticate, meaning correct username + password whereas the password is stored in LDAP. I want to replay attributes according th some other information stored in LDAP - how can I do such a thing, like: IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good, ELSIF dap-attribute::xy == valid_2 THEN RETURN ldap-attribute::IP-better, ELSE RETURN ldap-attribute::IP-bad
I don't understand that I'm afraid. I think that's because your question is based on faulty assumptions about the meaning of FreeRadius "authorize" and "authenticate" sections. Please have a look at the docs.