authorization based on ldap attribute

Phil Mayers p.mayers at imperial.ac.uk
Thu Sep 20 16:25:28 CEST 2012


On 20/09/12 13:35, Gregg Douglas wrote:

>   With this reject command in the authorize section is there a method to
> supply a custom reply message?

Sure.

if (...) {
   update reply {
     Reply-Message = "whatever you want"
   }
   reject
}

This is pretty basic use. I think people should be able to find this in 
the docs - do you have any suggestions where we should put (more) pointers?

>
> An observation I made with the if statement as above, if the attribute
> is not present on the user object it will evaluate false, thus allowing
> the user access.

Again, sure. You can invert the sense of the check in whatever fashion 
suits you, as the OP did. You can also skip absence of the attribute e.g.

if (reply:Eduroam-Enabled !* ANY) {
   # attr absent, permit
   noop
}
elsif (reply:Eduroam-Enabled == "N") {
   # definitely not permitted
   reject
}


...and so on.


More information about the Freeradius-Users mailing list