wildcard/regex Auth-Type in authenticate section

Zenon Mousmoulas zmousm at noc.grnet.gr
Fri Jul 25 17:58:14 CEST 2014

On 2014-07-21 15:27, Alan DeKok wrote:
> Zenon Mousmoulas wrote:
>> Apparently rlm_pap and rlm_mschap don't do this. Can you say more
>> specifically what other modules do this?
>   Can you say why you care?  Does it matter?  Or are you just 
> nit-picking?

It mattered because I was trying to understand the difference between 
rlm_eap and rlm_ldap in this context. Perhaps the last question was not 
in the right direction, but your answer didn't help either :)

So, to answer my own question:

>>> Right. I suppose it makes sense for rlm_eap to set Auth-Type to the
>>> instance name, while other modules don't do that, for example 
>>> rlm_ldap
>>> (in 2.x)?

rlm_ldap sets Auth-Type (not anymore in 3.x) if set_auth_type = yes (the 
default). This setting is overridden when a matching Auth-Type is not 
found, upon instantiation. It determines the Auth-Type (in order of 
preference: instance_name, LDAP) it will use when it is instantiated, 
depending on what Auth-Type is declared in the authenticate section.
It is possible that a particular instance is instantiated in a virtual 
server that has Auth-Type ldap_inst and then processes a request in a 
different virtual server, which has Auth-Type LDAP. In such a case the 
module will try to set Auth-Type := ldap_inst and fail.

On the other hand, rlm_eap always sets Auth-Type to the instance name. 
Perhaps related is the fact that it gets instantiated when the module is 
loaded (as opposed to when it is referenced in an authorize section), so 
there are no Auth-Type declarations to look at, even if it wanted to 
(like rlm_ldap).

>> And not really possible anyway, as I can only use unlang within
>> Auth-Type subsections and not directly in the authenticate section. 
>> Right?
>   This is documented.

I didn't find a specific answer to that question, which is why I asked.


More information about the Freeradius-Users mailing list