force exit on instanciated ldap module

Ramon Escriba escriba at cells.es
Fri Nov 4 14:20:30 CET 2016 

Hi Alan,

>>> The config you posted should work.  If the information is found in ldap server 1, it returns, and doesn't check ldap server 2.
>> It worked fine in old v 1.1, but not in v3.0.
>> Now, with v3.0.10, all ldap subtrees are checked anyway.

>  Well... read the debug log.
>  Change the configuration to return on "updated", instead of "ok".
> Alan DeKok.

Now the first match enters,  but fails due the lack of "Auth-Type", because we do no reach 'files'. 

"(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"

If I move 'files', containing " DEFAULT Auth-Type := Accept (..)" , on top it does the trick, but is not very elegant.

Where do I force the "Accept" in a more professional way without relay on 'files' ? 


/etc/raddb/sites-available/default
(...)
authorize {
(..)
       # Moving "files" here does the trick.....   --> "DEFAULT Auth-Type := Accept ..."  but is not very elegant.
       files

        VLAN1 {
               #ok = return
               updated = return
        }

        VLAN2 {
               # ok = return
               updated = return
        }
(...)
	##files old files location.
(...)
}

#radius -X
(..)
(0)     [VLAN1] = notfound
rlm_ldap (VLAN2): Reserved connection (0)
(0) VLAN2: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) VLAN2:    --> (uid=010101010101)
(0) VLAN2: Performing search in "ou=VLAN2,ou=VLANS,dc=acme,dc=com" with filter "(uid=010101010101)", scope "sub"
(0) VLAN2: Waiting for search result...
(0) VLAN2: User object found at DN "uid=010101010101,ou=VLAN2,ou=VLANS,dc=acme,dc=com"
(0) VLAN2: Processing user attributes
(0) VLAN2: control:Password-With-Header += '010101010101'
(0) VLAN2: reply:Tunnel-Private-Group-ID := '3002'
(0) VLAN2: reply::Extreme-CLI-Authorization := Disabled
(0) VLAN2: reply::Extreme-Netlogin-Only := Enabled
(0) VLAN2: reply::Extreme-Netlogin-Vlan := 'VLAN2'
(0) VLAN2: reply:Termination-Action := RADIUS-Request
(0) VLAN2: reply:Session-Timeout := 7200
rlm_ldap (VLAN2): Released connection (0)
rlm_ldap (VLAN2): Need 5 more connections to reach 10 spares
rlm_ldap (VLAN2): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (VLAN2): Connecting to ldap://127.0.0.1:389
rlm_ldap (VLAN2): Waiting for bind result...
rlm_ldap (VLAN2): Bind successful
(0)     [VLAN2] = updated
(0)   } # authorize = updated
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject   <<<<<<-----
(0) Failed to authenticate the user
(0) Login incorrect (No Auth-Type found: rejecting the user via Post-Auth-Type = Reject): [010101010101] (from client localhost port 0)
(...)

Regards.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list