configure freeradius to send no response if LDAP database fails
Alan DeKok
aland at deployingradius.com
Wed May 2 20:28:00 CEST 2018
On May 2, 2018, at 2:21 PM, Dave Macias <davama at gmail.com> wrote:
> I was trying to test this out. Thought it was a nice idea. Unfortunately i
> still see a response from the radius server with the dead ldap.
The debug log shows why. You are running TONS of policies in the "post-auth" section, one of which is an explicit "reject". See line 949.
The solution is to skip all that. If the control list has &Response-Packet-Type := Do-Not-Respond, then *stop doing anything else*. Just skip the entire post-auth section:
post-auth {
if (control:Response-Packet-Type == Do-Not-Respond) {
return
}
... everything else...
}
> Im assuming my issue is with my post-auth section, since if no conditions
> are met then send reject by default. ( line 978 on alive ldap ) ( line 917
> on dead ldap ). Is this correct?
Yes.
If you don't want the server to respond, then you need to tell it to not respond. And don't tell it "oh never mind, send a REJECT!"
Alan DeKok.
More information about the Freeradius-Users
mailing list