Re: Why doesn't := "Always match?"

Sat, 22 Jul 2006 10:49:46 -0700 


On Jul 21, 2006, at 6:31 PM, Paul Long wrote:


Phil Mayers wrote:

Paul Long wrote:

A man page (http://www.die.net/doc/linux/man/man5/users.5.html)  
for the users file says, "Attribute := Value ... Always matches  
as a check item..." So does that mean, no matter what the value  
is, it will always


Well, the wording might be a bit confusing.

FreeRadius works the following way:

 1. All attribute-value pairs that come in are the "request" pairs
 2. Internal server attribute per-request are the "config" pairs

 3. Attribute-value pairs to go back to the client are the "reply"  
pairs


someuser User-Password := "somevalue"


...actually sets (unconditionally) the User-Password AVP in the  
"config" items. This password is *COMPARED* to the password  
supplied by the client in the "request" items.

Okay, so then what is meant in the man page by "Always matches a  
check item?" Should it have said, "Always checks a check item?" :-)  
As is, it sounds like it always returns true.



The way I think of it is that the "match" criterion only applies to  
which clause of the users file gets selected.  Subsequent processing  
of the request may still cause the request to be rejected.



match the attribute? I don't see that happening. As an  
experiment, I have a supplicant in a WiFi phone with user name of  
"plong" and password of "123". With the following entry in the  
users file:


   plong    Auth-Type = Local, User-Password := "126"


...I assumed it would match even though the value is different;  
however,



I'll try to give an example.  Suppose you had two entries, using '=='  
for the same user:


plong   Auth-Type = Local, User-Password == "126"

plong   Auth-Type = Local, User-Password == "123"


Then, if 'plong' supplies the password "123", the 'files' module  
(which processes the 'users' file) will select the second entry, then  
the authentication module will compare the passwords in the request  
and config items, and the user will be accepted.


But if you use ':='

plong   Auth-Type = Local, User-Password := "126"

plong   Auth-Type = Local, User-Password := "123"


the 'files' module will select the first entry ("always match"), then  
the authentication module will compare the supplied password "123"  
with the configured password "126" and the user will be rejected.


I hope I got that right; Phil can correct me if not.

--
George C. Kaplan                            [EMAIL PROTECTED]
Communication & Network Services            510-643-0496
University of California at Berkeley




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to