AW: How to change "++[files] returns noop " into "++[files]returns?reject"

thomas.dohl at 24-7-it-services.de thomas.dohl at 24-7-it-services.de
Tue May 24 10:55:41 CEST 2011


Hi Alexander,

thanks for your answer. This works nearly perfect.
My problem now is that:

[files] users: Matched entry DEFAULT at line 11
++[files] returns ok
...
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> u8867
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

the file [  ++[files] returns ok ]  , and not reject. 
At the end the request will be rejected.
This is what I need. But the process is running through and will not
interrupted.

What I want to do is:
1. freeradius get an request
2. freeradius should look into his user file
2.1. if user found, next step
2.2. if user is not found, interrupt -> reject
3. (user was found) LDAP request
...

So if the user is not in the user file,
the ldap request should not taken.

How to do this in the best way?

Thanks in advance,
Thomas

> 
> thomas.dohl at 24-7-it-services.de wrote:
> > 
> > in the section "authorize" I include the module "file".
> > (/etc/raddb/users)
> > At the moment I get an noop if a user is not found in the file.
> > How can I change it to return a reject, if a user is not found?
> > 
> > Now: 
> > ++[files] returns noop
> > Destination:
> > ++[files] returns reject
> > 
> Depending on how your 'brain' logic flows, you can prime a default 
> reject and then use matching rules later to turn that to an 
> accept like 
> so:
> ----
> DEFAULT	Auth-Type := Reject
> 	Fall-Through = Yes
> 
> [your existing config here]
> ----
> 
> Alternatively, you can bolt the following to the end:
> ----
> DEFAULT Auth-Type := Reject
> ----
> 
> I prefer to 'deny, allow' (in Apache speak), but you might prefer 
> 'allow, deny'.
> 
> Cheers
> 
> -- 
> Alexander Clouter
> .sigmonster says: Have a taco.
>                   		-- P. S. Beagle
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list