Freeradius 3. How to stop processing when ldap got the successful match.

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Freeradius 3. How to stop processing when ldap got the successful match.

Ramon Escriba
Hi,

in my old working freeradius 2.1, on /etc/raddb/sites-available/default,
in authorize section I have an ldap

declaration to allow a successful match to stop any extra authorization
process.

So only gets the actual attributes got from ldap to answer the query
discarding adding  other/default new ones stored in users files.

"files" is after "ldap" in this case.

     VLANxxx {
         ok = return
     }

On freeradius 3.0.17 this seems now working anymore, so it finally add
the default "users" file attributes. "files" is the last catch all too here.

How can I tell freeradius 3 to stop processing, and get the already got
ldap return values as the good ones??

Regards.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius 3. How to stop processing when ldap got the successful match.

Alan DeKok-2
On Aug 24, 2020, at 5:44 AM, Ramon Escribà Lemiña <[hidden email]> wrote:

> in my old working freeradius 2.1, on /etc/raddb/sites-available/default, in authorize section I have an ldap
>
> declaration to allow a successful match to stop any extra authorization process.
>
> So only gets the actual attributes got from ldap to answer the query discarding adding  other/default new ones stored in users files.
>
> "files" is after "ldap" in this case.
>
>     VLANxxx {
>         ok = return
>     }
>
> On freeradius 3.0.17 this seems now working anymore, so it finally add the default "users" file attributes. "files" is the last catch all too here.

  That should work.  It works here in the latest code, and we have automated tests for it in src/tests/keywords/ok-return.  And that test hasn't changed since at least 3.0.17.

> How can I tell freeradius 3 to stop processing, and get the already got ldap return values as the good ones??

  Show the full debug log.  Maybe something else is happening.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html