Hello Steve -
On Fri, 07 Jul 2000, Felicetti, Stephen A. wrote:
>
> Running Radiator 2.15 under Sun OS 5.6 against Netscape LDAP 3.11, Cisco
> AS5300 as the access server.
>
> I'm using the AuthAttrDef function to limit those that can have access to
> our system after connecting to the AS.
> As long as the altmail5 attribute exists in the user's entry, I can permit
> or deny access by assigning the appropriate value (being equal to
> NAS-Port-Type). Works just fine like that....however to my dismay, I just
> realised that if the attribute DOESN'T exist, it isn't checked and access is
> granted for that user regardless if I want them to get in, or not (obviously
> as long as the password is OK). Can't I have it so that if the attribute
> doesn't exist, it boots them out of the system?
>
> I was hoping to just add the attribute to the people that I want dialing in.
> Instead, will I have to add it to the thousands of users we have in the
> directory, then giving those people a value that will never match
> NAS-Port_Type? Get my drift?
>
Yes, I can see where you are headed, and indeed this subject has come up
before. The default behaviour is that if the attribute is not there to check,
then don't check it. And yes, I can understand your reluctance to mess around
with your directory.
My question then is this: if there is enough interest, we could add an option
to the various AuthBy LDAP clauses, allowing you to specify the complete search
string. This would mean that you could force the AuthBy to both find and check
for specific attributes.
Thoughts?
thanks
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
