[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: ldap huntgroups and groups
From:       "alan walters" <alan () aillweecave ! ie>
Date:       2005-05-31 10:04:16
Message-ID: 4E5C0F1FE4FBC44092AEB9F268A802F30A6ACD () backbone ! aillweecave ! local
[Download RAW message or body]

Continuing with huntgroups and groups. I followed the most recent
instructions below.
The client uses the default group below.
I see the reply message come through in the request
But the request gets access accept instead of access reject?????



>
>
########################################################################
> #
> ###  default ldap group does not succeed
>
########################################################################
> ##
>
> DEFAULT   Auth-Type := Reject
>		Reply-Message = "sorry you are not allowed to dial in
here"
>

The reply message should go on the second line on this one.  Reply
message
is not a check item.  Also, technically, you don't need Simultaneous
User,
since they are being rejected this session will never be added.

Your user was found in a group, however, it should have been rejected
since you have fall-though = 1 (yes).  It should have fallen through to
the default reject line.  Note:  This is probably not what you want,
because all users will be rejected when you fix the Reject line.  I
would
change Fall-Through = no (0), to all your Ldap-Group entries above it.

Move the Reply-Message to the second line.

DEFAULT		Auth-Type := Reject
		Reply-Message = "You cannot dial in here"





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]