Force Auth-Type
Markus Moeller
huaraz at moeller.plus.com
Fri Jan 25 21:29:26 CET 2008
"Alan DeKok" <aland at deployingradius.com> wrote in message
news:4798BE25.6050300 at deployingradius.com...
> Markus Moeller wrote:
>> That was the only way I could get it to work. If I use update control
>> anybody can login, whereas in my setup only a user who exits in ldap get
>> AUth-Type set to LDAP all other users have an empty value and therefore
>> can not authenticate.
>
> The LDAP module setting Auth-Type to LDAP is a bit of a hack. I
> understand that you're depending on it, but the behavior may change in
> the future. It's changed (slightly) in the past, to fix some issues.
>
> It's better to have the policy *explicitly* state what you want.
>
>> I have changed my setup to use files and a users file together with a
>> "private" radius attribute mapped to an ldap entry
>
> That's reasonable. It's a pretty simple fix to permit an empty
> ldap.attrmap definition.
>
>> in users I have
>> DEFAULT user-location == "LDN", Auth-Type := Reject
>> Reply-message = "You are not allowed to login"
>> DEFAULT AUTH-Type := PAM
>
> That should mostly work. In 2.0, it's much easier just to put that
> directly in a policy in a configuration file.
>
>> Unfortunatly that does not work as I never hit the first default
>> statement in users despite having a user-location of LDN. What do I do
>> wrong here ? How can I use an ldap query result to deny/allow access ?
>
> if ("%{ldap: stuff... }" == "bar") {
> ...
> }
>
I didn't know that is possible. Where is this documented ? I thought I read
all FAQ and documentations.
The other questions I have is about the AV pairs used. As far as I
understand freeradius uses request, reply, check_tmp, internal only AV
pairs. Is there a document which module uses which for what purpose ?
Is there a process flow diagram somewhere describing how freeradius works ?
I understand
1)client -> server sends a request AV pair
2) server processes first authorisation modules and if fails end ?
3) server processes authentication modules and if fails end ?
4) server -> client sends reply AV pair
What is the use of check(item) AV pairs ? Is it to communicate between
modules ?
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Thank you
Markus
More information about the Freeradius-Users
mailing list