unlang question

Alan DeKok aland at deployingradius.com
Thu Jul 5 12:04:41 CEST 2007

Enrik Berkhan wrote:
> But exactly adding the "ok = 1" makes it work. Have you tried it? May be
> it's a bug though ... :)

  Hmm... then I'm not sure I understand what the code is doing.

> But it takes something from the child block after the unroll: label in
> modcall.c. That's why I have tried the above. Maybe this is not correct
> for if/elsif?

  The if/elsif blocks should force the current return code to be the
last one used.  I think it worked by accident, so it's good to fix the
code to make it work on purpose.

>>   What you probably want here is:
> You are right, that's like I wanted it, but it didn't work. So may be
> the if-processing is still buggy then.

  Hmm... putting "ok = 1" in an "if" section doesn't do *anything*.
It's accepted by the parser, but it doesn't do anything.

  OK... after a bit of examination, what works is:

  pap {
	ok = 1
 	reject = 1
   if (ok) {
 	update reply {
            Reply-Message := "Welcome."
   elsif (reject) {
 	update reply {
            Reply-Message := "Wrong PAP password."
 	reject  # over-rides the "updated" flag.

  It's not intuitive, but it works.

  But really, all of that logic belongs in the "post-auth" section.
That's what it's there for.  Use the "Post-Auth-Type Reject" section.
It's documented in radiusd.conf.

  Alan DeKok.

More information about the Freeradius-Devel mailing list