1.1.7, ldap and auth-type
Phil Mayers
p.mayers at imperial.ac.uk
Mon Aug 27 16:00:10 CEST 2007
On Mon, 2007-08-27 at 15:50 +0200, Ivan Lago wrote:
> Thanks, i removed the password_attribute and it worked.
> Anyway i did it because my LDAP directory do not have a password
> attribute for computer entries, so i wanted to check the mac-address
> for both user-name and password. Than i didn't go on with this for
> various reasons (i should have rewritten User-Password too, but this
> could interfere if a user try to authenticate with a password that
> casually match the regexp for a mac-address...), and i resorted to
> authenticate with always_ok if the auth_type is macbypass (i do not
Ah, I see.
> expect to have crafted requests in my network anyway...), but that
> remained in the config file since it never gave problems before 1.1.7
What you're doing seems like a reasonable approach.
Other options include: something like this in "users"
# if username matches mac address regexp, copy username to password
DEFAULT User-Name =~ "([a-fA-F0-9]{12})", Cleartext-Password := "%{1}"
...with "pap" in authorize and authenticate.
Or to set "Auth-Type := Accept" in a "files" module based on an LDAP
group lookup or similar, but since you're using >1 LDAP server, that
would be tricky.
This is another thing 2.0 would make easier
>
More information about the Freeradius-Users
mailing list