Force Auth-Type
Alan DeKok
aland at deployingradius.com
Thu Jan 24 17:34:45 CET 2008
Markus Moeller wrote:
> That was the only way I could get it to work. If I use update control
> anybody can login, whereas in my setup only a user who exits in ldap get
> AUth-Type set to LDAP all other users have an empty value and therefore
> can not authenticate.
The LDAP module setting Auth-Type to LDAP is a bit of a hack. I
understand that you're depending on it, but the behavior may change in
the future. It's changed (slightly) in the past, to fix some issues.
It's better to have the policy *explicitly* state what you want.
> I have changed my setup to use files and a users file together with a
> "private" radius attribute mapped to an ldap entry
That's reasonable. It's a pretty simple fix to permit an empty
ldap.attrmap definition.
> in users I have
> DEFAULT user-location == "LDN", Auth-Type := Reject
> Reply-message = "You are not allowed to login"
> DEFAULT AUTH-Type := PAM
That should mostly work. In 2.0, it's much easier just to put that
directly in a policy in a configuration file.
> Unfortunatly that does not work as I never hit the first default
> statement in users despite having a user-location of LDN. What do I do
> wrong here ? How can I use an ldap query result to deny/allow access ?
if ("%{ldap: stuff... }" == "bar") {
...
}
Alan DeKok.
More information about the Freeradius-Users
mailing list