On 2 Jul 2013, at 07:41, Arran Cudbard-Bell <a.cudba...@freeradius.org> wrote:
>
> On 2 Jul 2013, at 07:18, Phil Mayers <p.may...@imperial.ac.uk> wrote:
>
>> On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
>>
>>> If a user is not in the secret group, then their login should fail if
>>> the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
>>
>> This is pretty easy:
>>
>> authorize {
>> ...
>> if (Vendor-3076-Attr-146 == 0x554d44) {
>> if (SQL-Group == secret) {
>> noop
>> }
>> else {
>> reject
>> }
>> }
>> ...
>> }
>
> Actually no. Undefined attributes should not be modified or evaluated. You'll
> need to find the proper definition for the attribute and add a new dictionary
> entry.
This may work for 2.x.x but definitely wont't work for 3.0 which uses direct
DICT_ATTR pointer comparisons in some places (instead of comparing
vendor/attribute number).
Arran Cudbard-Bell <a.cudba...@freeradius.org>
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
