Two authorize instance
Guillaume Chartrand
guillaume.chartrand at Collanaud.Qc.Ca
Tue Apr 1 16:44:56 CEST 2008
>Guillaume Chartrand wrote:
>> I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the
authorize section to check the user credential with an >sql database.
This configuration works.
>> But I want to know and how to do that if it's possible, if the user
isn't the sql database, can freeradius check >another database, like an
ldap database. So when the user is in the sql database he gain access,
if not he look in a >ldap database and if he are present with valid
credential, he gain access.
>
> Yes.
> ...
> sql
> if (notfound) {
> ldap
> }
> See "man unlang".
> Alan DeKok.
I write the if in my authorize section.. here some of my config in
site-enabled/default
authorize {
preprocess
chap
mschap
unix
suffix
sql
if (notfound) {
ntlm_auth
}
eap
expiration
logintime
pap
}
authenticate {
ntlm_auth
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
And here is my radiusd.conf
modules {
exec ntlm_auth {
wait = no
program = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-intranet}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
$INCLUDE eap.conf
mschap {
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-intranet}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
}
If I comment in the mschap module the ntlm_auth and the user is present
in sql, he's accepted. If he's not in sql but in my Active directory
database, he's rejected
If I comment out the ntlm_auth line, my sql user is rejected but my AD
user was accepted. So Where I'm wrong, I want to use both authorize
database.
Thank
More information about the Freeradius-Users
mailing list