Why doesn't := "Always match?"

George C. Kaplan gckaplan at ack.berkeley.edu
Sat Jul 22 19:36:44 CEST 2006 

On Jul 21, 2006, at 6:31 PM, Paul Long wrote:
>
> Phil Mayers wrote:
>> Paul Long wrote:
>>> A man page (http://www.die.net/doc/linux/man/man5/users.5.html)  
>>> for the users file says, "Attribute := Value ... Always matches  
>>> as a check item..." So does that mean, no matter what the value  
>>> is, it will always
>>
>> Well, the wording might be a bit confusing.
>>
>> FreeRadius works the following way:
>>
>>  1. All attribute-value pairs that come in are the "request" pairs
>>  2. Internal server attribute per-request are the "config" pairs
>>  3. Attribute-value pairs to go back to the client are the "reply"  
>> pairs
>>
>> someuser User-Password := "somevalue"
>>
>> ...actually sets (unconditionally) the User-Password AVP in the  
>> "config" items. This password is *COMPARED* to the password  
>> supplied by the client in the "request" items.
> Okay, so then what is meant in the man page by "Always matches a  
> check item?" Should it have said, "Always checks a check item?" :-)  
> As is, it sounds like it always returns true.

The way I think of it is that the "match" criterion only applies to  
which clause of the users file gets selected.  Subsequent processing  
of the request may still cause the request to be rejected.

>>> match the attribute? I don't see that happening. As an  
>>> experiment, I have a supplicant in a WiFi phone with user name of  
>>> "plong" and password of "123". With the following entry in the  
>>> users file:
>>>
>>>    plong    Auth-Type = Local, User-Password := "126"
>>>
>>> ...I assumed it would match even though the value is different;  
>>> however,

I'll try to give an example.  Suppose you had two entries, using '=='  
for the same user:

plong   Auth-Type = Local, User-Password == "126"

plong   Auth-Type = Local, User-Password == "123"

Then, if 'plong' supplies the password "123", the 'files' module  
(which processes the 'users' file) will select the second entry, then  
the authentication module will compare the passwords in the request  
and config items, and the user will be accepted.

But if you use ':='

plong   Auth-Type = Local, User-Password := "126"

plong   Auth-Type = Local, User-Password := "123"

the 'files' module will select the first entry ("always match"), then  
the authentication module will compare the supplied password "123"  
with the configured password "126" and the user will be rejected.

I hope I got that right; Phil can correct me if not.

-- 
George C. Kaplan                            gckaplan at ack.berkeley.edu
Communication & Network Services            510-643-0496
University of California at Berkeley

More information about the Freeradius-Users mailing list