On Fri, 12 Mar 2004, Pierluigi Frullani wrote:
> Hi all.
> Reading through the C code of rlm_ldap I've noticed that the behavior for
> this module, when it got a nosuchobject or a ambiguous reply is to not
> reject the request, but pass it over for some other modules, either in
> authorize then in authenticate.
> This could be ok when you have a distributed ldap with different databses,
> but could result in some false positive when using a replicated net of
> ldap that have the same informations.
> While I do have this latest configuration I've tried to figure out how I
> could get an reject if the modules fail with this two options, and I made
> a patch to rlm_ldap.c to have a configuration option for achieve this
> behavior.
> So, my patch add the : "not_found_should_reject" (boolean type yes/no)
> keyword in ldap section of radiusd.conf, with a default value of no, so
> the normal behavior is keeped, and if setted to yes, will make the module
> to return a reject when it fails as described.
>
> Could this patch be included in CVS, and so in next distribution ?
I 'd prefer a more general approach. As previously described by Alan
configurable failover could be extended so that something like this can be
possible:
authorize{
eap
chap
files
ldap {
notfound = reject
}
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
