optimize questions for unlang code

Brian Julin BJulin at clarku.edu
Fri Apr 6 18:16:05 CEST 2012



> Tobias Hachmer wrote:
> Now I'm coming closer to my questions.
> When a local user logon to a telnet device freeradius does all the ldap
> membership queries.
> When an AD user will logon to a telnet device freeradius also does all
> the ldap membership queries.
> 
> Q1: Can I abbreviate this process that when a local user wants access
> to a telnet device the ldap queries will be skipped?
> Q2: Is there a smarter way to reject a local user immediately when he
> wants to logon to a non telnet device?
> Q3: Is there a smarter way to reject an AD user immediately when he
> wants to logon to a telnet device?

You could use Auth-Type subsections, but with LDAP the control flow
can be a bit confusing (the statements in the block outside those
sections all run, and then the block gets run again from the top once an
Auth-Type is selected, which happens inside of the ldap module.)  Your
best bet for this scenario is to look at the "as of 2.0" instructions in
clients.conf, where you can select a virtual server to enter based on
which clients are requesting, and construct a separate virtual server
for telnet devices.

> Q4: Are there any tweaking capabilities to my unlang code to make it
> smarter or more hardened?
> Q5: Can I abbreviate any code snippets like using a switch/case block
> or use variables or anything I don't know?

When using Ldap-Group as a check item, you have to be careful, because
it is a special case.  You are not really comparing the value after the '=='
to a variable, rather each time an LDAP group query is launched looking
for the value after the '=='.  This is the way LDAP groups work -- you do
not query a list of groups, you query them one-by-one.  Note that using
Ldap-Group in the "users" file is also inefficient.  I use a nested if statement
to short-circuit, and sort by prevalence, but I do not have quite as many
cases as you.




More information about the Freeradius-Users mailing list