Mike Sturdee <[EMAIL PROTECTED]> wrote: > users that dial into a number ending in 195 get the correct Auth-Type & > Autz-Type, as do other calls that need to auth off of LDAP1. Problem is, > when I have the LDAP2 instances in authorize {} authenticate {}, users > authing off of LDAP1 do not get the correct group attributes per the group > lookup in module instance ldap1. when radiusd is in debug mode, it shows > the LDAP1 users going through both the ldap1 and ldap2 module instances..
Yes. The "authorize" section processes the modules from top to bottom, even if set Autz-Type previously.
The issue is that the "authorize" section *started* by processing modules from top to bottom, and the Autz-Type was added later. So it may not entirely do the right thing at times...
I'm open to suggestions for what to do with the "authorize" section and Autz-Type. I don't want to break older configurations, so that's a bit of a constraint.
Have an 'old_style_authorize' config directive that defaults to yes.
All it to be set to 'no' to achieve 'authenticate' style processing based on 'autz-type'.
The problem is that Authenticate works, because we set Auth-Type prior to entering that block. We don't have anything to set Autz-Type prior to running the Authorize block. :\
Is the functionality required above something could be accomplished with the 'configureable failover' behaviour of modifying processing of modules based on return value of previous module call?
-Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\------------------------------------------------------ \ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
