Mixed-mode authentication enviornment

Daniel Corbe daniel.junkmail at gmail.com
Thu Sep 8 23:06:51 CEST 2005


I didn't pull this configuration file out of my ass.  I *AM* using
default configs.

More to follow...

On 9/8/05, Alan DeKok <aland at ox.org> wrote:
> Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> > I'm not sure I understand why my approach is so incorrect.  If I am
> > wrong, please explain it to me.
> 
>   I would suggest reading the existing samples and documentation for
> how to configure the server.  They explain the correct way to do
> things.  The number of incorrect ways to do things is almost infinite.
> 
> > My understanding is we've AUTHORIZED the request by pulling the
> > password information off of the LDAP server and storing it in memory.
> 
>   Yes.
> 
> > Then (according to my understanding of the radiusd.conf) in the
> > authenticate {} block, we pick which modules in order will do the
> > AUTHENTICATION part of the AAA session.  One of the two modules will
> > always fail.
> 
>   If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section
> in "authenticate".
> 
>   The solution is DON'T DO THAT.
> 
>   List them separately, as shown in the default config.
> 
>   Again, I'm a little surprised that this is so hard to configure,
> given that the default config shows how to do it.  It takes additional
> effort to create a different configuration, which will then not work.
> 
> > We first try the digest module and get this:
> >   Processing the authenticate section of radiusd.conf
> > modcall: entering group Auth-Type for request 1
> > ERROR: No Digest-Nonce: Cannot perform Digest authentication
> >   modcall[authenticate]: module "digest" returns invalid for request 1
> >
> > Then we move on to the next section of the Auth-Type LDAP
> > configuration section of the authenticate {} block, and allow the LDAP
> > module to take a crack at it and thus we have a sucessful
> > authentication:
> 
>   Yes.  Your configuration seems to work, but it's inefficient and
> unnecessary.  Rather that following the existing examples, you appear
> to have randomly added hacks until it "works", with little
> understanding of how the server is supposed to be configured.
> 
>   Please, use the default configuration where possible.  It works, and
> it was designed by people who understand LDAP, digest, and the server.
> Your hacks may appear to work, but they are based on misunderstandings
> and confusion.  They WILL NOT be maintainable by you, or anyone else
> going into the future.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list