configure freeradius to send no response if LDAP database fails
Dave Macias
davama at gmail.com
Wed May 2 20:35:42 CEST 2018
Thank you very much Alan!
That was it
I thought i needed to do something like that but I couldnt figure out how
exactly.
Looking at it, makes total sense.
Thank you again!
On Wed, May 2, 2018 at 2:28 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On May 2, 2018, at 2:21 PM, Dave Macias <davama at gmail.com> wrote:
> > I was trying to test this out. Thought it was a nice idea. Unfortunately
> i
> > still see a response from the radius server with the dead ldap.
>
> The debug log shows why. You are running TONS of policies in the
> "post-auth" section, one of which is an explicit "reject". See line 949.
>
> The solution is to skip all that. If the control list has
> &Response-Packet-Type := Do-Not-Respond, then *stop doing anything else*.
> Just skip the entire post-auth section:
>
> post-auth {
> if (control:Response-Packet-Type == Do-Not-Respond) {
> return
> }
>
> ... everything else...
> }
>
> > Im assuming my issue is with my post-auth section, since if no conditions
> > are met then send reject by default. ( line 978 on alive ldap ) ( line
> 917
> > on dead ldap ). Is this correct?
>
> Yes.
>
> If you don't want the server to respond, then you need to tell it to not
> respond. And don't tell it "oh never mind, send a REJECT!"
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list