Force Auth-Type

Markus Moeller huaraz at moeller.plus.com
Sat Jan 26 19:47:58 CET 2008 

OK I think I understand it now better. And I can do everything with unlang 
and ldap and no files module as I didn't find a way to use control AV pairs 
in the users file.

I do now in sites-enabled/default the following:

authorize {
        auth_log
        ldap
        if (control:User-Location !=  "LDN" ) {
                update control {
                        Auth-Type := PAM
                }
                update reply {
                        Reply-Message = " Accepted "
                }
        }
        else {
                update control {
                        Auth-Type := Reject
                }
                update reply {
                        Reply-Message = " Rejected "
                }
        }
}
authenticate {
         pam
}
preacct {
        acct_unique
}
accounting {
        detail
}

with user-location being mapped in ldap.attrmap to an ldap attribute of the 
user.

Does that look OK ?


Thank you
Markus


BTW Are you intereseted in my Mozilla SDK patch for the ldap module ?

"Alan DeKok" <aland at deployingradius.com> wrote in message 
news:479AF6D3.9070304 at deployingradius.com...
> Markus Moeller wrote:
>
>>>  if ("%{ldap: stuff... }" == "bar") {
>>> ...
>> I didn't know that is possible. Where is this documented ? I thought I
>> read all FAQ and documentations.
>
>  It's not really well documented, because it's not well tested.  If it
> works, great.  If not...
>
>> The other questions I have is about the AV pairs used. As far as I
>> understand freeradius uses request, reply, check_tmp, internal only AV
>> pairs. Is there a document which module uses which for what purpose ?
>
>  doc/aaa.txt
>
>> Is there a process flow diagram somewhere describing how freeradius works 
>> ?
>
>  Nope.
>
>> I understand
>> 1)client -> server sends a request AV pair
>> 2) server processes first authorisation modules and if fails end ?
>> 3) server processes authentication modules and if fails end ?
>> 4) server -> client sends reply AV pair
>>
>> What is the use of check(item) AV  pairs ? Is it to communicate between
>> modules ?
>
>  Among other things.  It's for things associated with the request that
> don't need to go into a packet.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list