Why doesn't := "Always match?"
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jul 24 18:52:35 CEST 2006
George C. Kaplan wrote:
> Phil Mayers wrote:
>>> I'll try to give an example. Suppose you had two entries, using '=='
>>> for the same user:
>>>
>>> plong Auth-Type = Local, User-Password == "126"
>>>
>>> plong Auth-Type = Local, User-Password == "123"
>>>
>>> Then, if 'plong' supplies the password "123", the 'files' module
>>> (which processes the 'users' file) will select the second entry, then
>>> the authentication module will compare the passwords in the request
>>> and config items, and the user will be accepted.
>>
>> Hmm. So it does. I didn't think the server behaved that way. It does not
>> seem terribly consistent.
>
> OK, now *I'm* confused. What's inconsistent about the above behavior?
>
I was referring to the use of the == versus := operator against
User-Password being inconsistent:
== compares THERE AND THEN the "request" User-Password to the
right-hand-side of the operator. It will only ever work for PAP
requests, not CHAP, MS-CHAP, digest, etc.
:= sets the config/check User-Password to the right hand side of the
operator. The authorize section completes, then authenticate is run, and
the server uses the password in the config items to check the password
in the request items - this will work for all authentication types.
More information about the Freeradius-Users
mailing list