Do not query LDAP if authenticated via proxy

Alan DeKok aland at deployingradius.com
Mon Aug 10 15:34:38 CEST 2009


Steven Carr wrote:
> We are joining Eduroam and we have our FreeRADIUS set to proxy on the
> DEFAULT realm and have a separate realm for our local domain.
> 
> If we pass a request to the proxy to be authenticated both before and
> after the request has been proxied it queries our LDAP server to check
> if the user exists.

  So... use "unlang" to check for your local domain, and run the "ldap"
module only if it matches the local domain

	if (User-Name =~ /@my_domain.com/) {
		ldap
	}

> How can I stop it from doing this? it is a waste of time and an
> unnecessary connection/query to our LDAP server as it is never going to
> be authenticated by our LDAP server.

  You don't "stop" it.

  You tell it to query the LDAP server *ONLY* when it sees
Access-Requests where User-Name contains your domain.

  Once you formulate the problem that way, the solution becomes obvious.

  Alan DeKok.



More information about the Freeradius-Users mailing list