proxy request when database is referering to ldap server
sumi thra
sumi.techno at gmail.com
Sat Jul 22 09:23:21 CEST 2006
>
> Hi Alan,
>
> Please find the configuration in the users file & proxy.conf file. Please
> let me know if i am missing or wrong configuration is done is achieve my
> objective.
>
> Radiusd.conf file:
>
modules {
pap {
encryption_scheme = clear
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = /var/log/radius/radwtmp
}
mschap {
authtype = MS-CHAP
#use_mppe = no
#require_encryption = yes
#require_strong = yes
#with_ntdomain_hack = no
}
ldap ldap_primary {
server = 1.1.1.1
port = 1234
identity = "kjd"
password = sdkjf
basedn = sdjkf
filter = "kjgf"
start_tls = no
access_attr = "dialupacces"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#password_header = "{SHA}"
password_attribute = fdsjk
groupname_attribute = dj
groupmembership_filter = "kjf"
groupmembership_attribute = jkl
timeout = 4
timelimit = 3
net_timeout = 1
access_attr_used_for_allow = no
}
ldap ldap_secondary {
server = 2.2.2.2
port = 1234
identity = "kjd"
password = sdkjf
basedn = sdjkf
filter = "kjgf"
start_tls = no
access_attr = "dialupacces"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#password_header = "{SHA}"
password_attribute = fdsjk
groupname_attribute = dj
groupmembership_filter = "kjf"
groupmembership_attribute = jkl
timeout = 4
timelimit = 3
net_timeout = 1
access_attr_used_for_allow = no
}
passwd etc_passwd {
filename = /var/etc/passwd
format = "*User-Name::User-Password"
delimiter = :
}
passwd etc_group {
filename = /var/etc/group
format = "~Group-Name::*,User-Name"
delimiter = :
}
realm suffix_oblic {
format = suffix
delimiter = /
ignore_default = no
ignore_null = no
}
realm prefix_oblic {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
realm suffix_at {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
realm prefix_at {
format = prefix
delimiter = @
ignore_default = no
ignore_null = no
}
realm suffix_percent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
realm prefix_percent {
format = prefix
delimiter = %
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hu_int32_ts = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
..
..
}
instantiate {
#exec
#expr
ldap_primary
ldap_secondary
}
authorize {
preprocess
#etc_passwd
#etc_group
chap
mschap
suffix_oblic
prefix_oblic
suffix_at
prefix_at
suffix_percent
prefix_percent
files
redundant {
ldap_primary
ldap_secondary
}
eap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
redundant {
ldap_primary
ldap_secondary
}
}
#unix
eap
}
post-auth {
}
pre-proxy {
}
post_proxy {
eap
}
Users file:
--------------
# primary ldap group policy configuration
# WLAN Allow policy for the groups
DEFAULT ldap_primary-Ldap-Group == "sales",VSA-Attr-4 =~ "1",Login-Time
:= "Any0000-2359"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 1
DEFAULT ldap_primary-Ldap-Group == "marketting",VSA-Attr-4 =~
"2",Login-Time := "Any0000-2359"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 10
# WLAN Deny policy for the groups
DEFAULT ldap_primary-Ldap-Group == "sales",VSA-Attr-4 =~
"2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject
DEFAULT ldap_primary-Ldap-Group == "marketting",VSA-Attr-4 =~
"1|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject
# secondary ldap group policy configuration
# WLAN Allow policy for the groups
DEFAULT ldap_secondary-Ldap-Group == "sales",VSA-Attr-4 =~ "1",Login-Time
:= "Any0000-2359"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 1
DEFAULT ldap_secondary-Ldap-Group == "marketting",VSA-Attr-4 =~
"2",Login-Time := "Any0000-2359"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 10
# WLAN Deny policy for the groups
DEFAULT ldap_secondary-Ldap-Group == "sales",VSA-Attr-4 =~
"2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject
DEFAULT ldap_secondary-Ldap-Group == "marketting",VSA-Attr-4 =~
"1|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32",Auth-Type:=Reject
anonymous
Anonymous
DEFAULT Realm != "NULL"
DEFAULT Auth-Type := Reject
Proxy.conf file
---------------------
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 120
default_fallback = yes
post_proxy_authorize = no
}
realm user\@myorg\.com {
authhost = 192.168.2.2:1812
accthost = 192.168.2.2:1813
secret = symbol123
nostrip
}
the request was proxied to 192.168.2.2 but it still tries to connect to
ldap_primary
Please correct me if im doing any wrong configuration.
Thanks.
On 7/19/06, Alan DeKok <aland at nitros9.org> wrote:
> >
> > "sumi thra" <sumi.techno at gmail.com> wrote:
> > > What you are saying is correct. But, i want proxy the request for some
> > users
> > > and for others i still want to use ldap .. in that case the users file
> > will
> > > have the policy for using LDAP & the proxy.conf file will have the
> > realms
> > > configured.
> >
> > That's pretty trivial to do.
> >
> > > When the server finds a matching realm, why is it trying to do ldap
> > > authentication? ie, why the users policy is getting applied?
> >
> > Because you told it to.
> >
> > Read the debug log. It *will* tell you what's going on.
> >
> > Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060722/b2500b01/attachment.html>
More information about the Freeradius-Users
mailing list