wildcard/regex Auth-Type in authenticate section
zmousm at noc.grnet.gr
Fri Jul 25 17:58:14 CEST 2014
On 2014-07-21 15:27, Alan DeKok wrote:
> Zenon Mousmoulas wrote:
>> Apparently rlm_pap and rlm_mschap don't do this. Can you say more
>> specifically what other modules do this?
> Can you say why you care? Does it matter? Or are you just
It mattered because I was trying to understand the difference between
rlm_eap and rlm_ldap in this context. Perhaps the last question was not
in the right direction, but your answer didn't help either :)
So, to answer my own question:
>>> Right. I suppose it makes sense for rlm_eap to set Auth-Type to the
>>> instance name, while other modules don't do that, for example
>>> (in 2.x)?
rlm_ldap sets Auth-Type (not anymore in 3.x) if set_auth_type = yes (the
default). This setting is overridden when a matching Auth-Type is not
found, upon instantiation. It determines the Auth-Type (in order of
preference: instance_name, LDAP) it will use when it is instantiated,
depending on what Auth-Type is declared in the authenticate section.
It is possible that a particular instance is instantiated in a virtual
server that has Auth-Type ldap_inst and then processes a request in a
different virtual server, which has Auth-Type LDAP. In such a case the
module will try to set Auth-Type := ldap_inst and fail.
On the other hand, rlm_eap always sets Auth-Type to the instance name.
Perhaps related is the fact that it gets instantiated when the module is
loaded (as opposed to when it is referenced in an authorize section), so
there are no Auth-Type declarations to look at, even if it wanted to
>> And not really possible anyway, as I can only use unlang within
>> Auth-Type subsections and not directly in the authenticate section.
> This is documented.
I didn't find a specific answer to that question, which is why I asked.
More information about the Freeradius-Users