group authorization

Alan DeKok aland at
Wed Mar 26 23:51:20 CET 2014

Brendan Kearney wrote:
> your reputation for being *ahem* difficult precedes you, but i think it
> should be amened to include being a hypocrite, too.  how does it feel?
> you have been nothing but obtuse and dodgy yourself.

  I have given you specific recommendations, and ask for specific
information.  I said *explicitly* that I can't give good answers to
vague questions.

  Your response was to (a) give more vague questions, and (b) complain
some more.

  I'll make it easy for you.  Post a TECHNICAL question, and you'll get
a technical answer.  If you keep whining about crap, you will be
unsubscribed and permanently banned from the list.

> well then, the authorize section has been moved out of the users file
> and into the modules/ldap file, AND IS NOT DOCUMENTED FURTHER.

  Well, no.  The "authorize" section can't be moved out of the "users"
file.  If you read raddb/sites-available/default, you'll see that the
"authorize" section is... a section.  It contains things like the
"files" module.  The "files" module in turn contains configuration in
raddb/modules/file... which points to the "users" file.

  See?  Specific.  All of this is documented if you read the
configuration files.

> Moreover, my DN in LDAP is fully qualified:
> uid=brendan,ou=Users,dc=bpk2,dc=com.  How you are determining the wrong
> value and populating a variable with that wrong value is a broken
> process. 

  You can (a) believe that FreeRADIUS is broken and that tens of
thousands of others *cannot* use it with LDAP, or (b) believe that you
misconfigured something.

  Which one is more likely to be true?

>>   User-Name is a standard RADIUS attribute.  Read the specs to see what
>> it is.  Really... we are NOT going to document every one of 8000 RADIUS
>> attributes.  That's ridiculous.
> why not?  how are folks to know what they are?

  Read the RFCs.  That's why they're included in the FreeRADIUS

 i.e. things which are NOT PART OF FREERADIUS are not documented by
FreeRADIUS.  That's not a complex concept.

>  given the berating they
> get from the supposed help answering the mailing list, i doubt anyone
> would every really get answers if they had to find out something in
> particular.

  Whine, whine, whine.  Your focus is complaining, not solving your
problem.  Stop it, or else.

>  oh, and the attributes...  the ones found here:

  Because that page documents the attributes defined in the RFCs.
LDAP-UserDn isn't defined in an RFC.

  And you're welcome to submit updates to the documentation.  But like
all whiners, you don't.

>  disjointed documentation much?  in fact it seems that most
> rlm_* attributes are not there at all.

  Correction: NONE of them are.

>  so, whats the deal with that?
> again, the users file references that, so why isnt it a complete
> reference?

  Because it doesn't document all of the 8000 vendor attributes.  Doing
so would be stupid.  Demanding that WE document OTHER vendors attributes
is stupid.

  The attributes defined by FreeRADIUS are documented where they're
used.  It's not perfect, but most people can figure it out.

>>   If you had read the documentation, you'd understand that the above
>> text makes zero sense.
> and thanks to the effort i have spent pulling your teeth, and rubbing
> your ego, i now have some place to turn for research.  thanks.  this
> could have been accomplished without you being a fuckchop 3 DAYS AGO.

  I can ban you now, you know...

> i have read docs, comments, wiki pages, mailing lists, etc and have some
> points that i know i can get to/through.  but, in no way, shape or form
> can i call myself competent because no fundamental teachings exist on
> where to start, what to do and how to get to a specific configuration
> and successful implementation.  at best a hodge-podge of hacked together
> directives are documented, isolated and atomically independent of any
> larger effort to be undertaken.

  Nonsense.  Every configuration file, and everything in every
configuration file is exhaustively documented.

  You're complaining that you've bought a car, and it doesn't include
directions for getting to grandma's house.  That's not a productive

> i have been around the block.  i support several technologies for a
> fortune 25 company.

  How very wonderful for you.

>  our golden rule is the "grandma" test.  can the
> docs i put together for a process/effort/change be given to my
> grandmother and the work be done by her?  take a starting point, perform
> deliberate steps (which include breakdowns of the commands with examples
> or the actual command to be run), achieve the desired result, and
> include a process to validate what is expected to be in place.

  Exactly.  FreeRADIUS does NOT include documentation for how to get
your configuration working on your system.  RADIUS is too damned
complicated for that to be possible.

  I'm glad you understand that.

>>   If you have *specific* and TECHNICAL questions, we can answer them.
>> All it requires is for you to ask GOOD questions, with CONTENT.
>>   It's up to you.  Choose to ask useful questions, and you will get
>> useful answers.

  Exactly... your message is nothing more than whining.  You've shown
you don't want to solve the problem.  You just want to complain about
how a product which you got for FREE sucks terribly.  You've also made
it clear (like every other complainer) that you have no interest in
contributing anything to make it better.

  I'll make it easy for you.  Post a TECHNICAL question, and you'll get
a technical answer.  If you keep whining about crap, you will be
unsubscribed and permanently banned from the list.

  Alan DeKok.

More information about the Freeradius-Users mailing list