{{ ansible_managed | comment }}

server inner-tunnel {

    authorize {
        # Look for realm using the 'suffix' format (user@realm)
        suffix
        # Don't proxy requests from inner tunnel
        update control {
            &Proxy-To-Realm := LOCAL
        }
        # TODO: vérifier que le realm est soit vide, soit 'auro.re'
        # Must be before 'ldap', so that we don't query the LDAP server
        # for "internal" packets (cf. documentation for
	# sites-available/inner-tunnel)
        inner-eap {
            ok = return
        }
        ldap
        # See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
        if ((ok || updated) && User-Password) {
            update control {
                Auth-Type := ldap
            }
        }
        pap
    }

    authenticate {
        inner-eap
        # Authenticate using 'Auth-Type = LDAP'
        # This is not recommended by FreeRADIUS (cf. documentation for
	# sites-available/default), but the password hashing scheme used
	# by 389DS is not yet supported by FreeRADIUS 3
        # (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
        ldap
    }

}