Hi Alexander, thanks for your answer. This works nearly perfect. My problem now is that: [files] users: Matched entry DEFAULT at line 11 ++[files] returns ok ... Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> u8867 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated the file [ ++[files] returns ok ] , and not reject. At the end the request will be rejected. This is what I need. But the process is running through and will not interrupted. What I want to do is: 1. freeradius get an request 2. freeradius should look into his user file 2.1. if user found, next step 2.2. if user is not found, interrupt -> reject 3. (user was found) LDAP request ... So if the user is not in the user file, the ldap request should not taken. How to do this in the best way? Thanks in advance, Thomas
thomas.dohl@24-7-it-services.de wrote:
in the section "authorize" I include the module "file". (/etc/raddb/users) At the moment I get an noop if a user is not found in the file. How can I change it to return a reject, if a user is not found?
Now: ++[files] returns noop Destination: ++[files] returns reject
Depending on how your 'brain' logic flows, you can prime a default reject and then use matching rules later to turn that to an accept like so: ---- DEFAULT Auth-Type := Reject Fall-Through = Yes
[your existing config here] ----
Alternatively, you can bolt the following to the end: ---- DEFAULT Auth-Type := Reject ----
I prefer to 'deny, allow' (in Apache speak), but you might prefer 'allow, deny'.
Cheers
-- Alexander Clouter .sigmonster says: Have a taco. -- P. S. Beagle
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html