Proxy on Fail.. Or intelligent proxy...Or Utilize multiple acocunt directories
Harry Hoffman
hhoffman at ip-solutions.net
Tue Feb 9 15:09:05 CET 2010
Hi Larry,
I am doing this same thing...
I've modified the PAP and LDAP sections, in
/etc/raddb/sites-enabled/{default,inner-tunnel}, to do this and it works
well.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
#pap
group{
pap{
reject = 1
ok = return
}
ntlm_auth{
reject = 1
ok = return
}
}
}
...
I do the same for Auth-Type LDAP.
Hope this helps.
Cheers,
Harry
On 02/08/2010 09:42 PM, Alan DeKok wrote:
> Larry Ross wrote:
>> I am looking at configuring FR to Auth accounts across multiple account
>> directories. Basically I would like FR to take in PAP queries, attempt
>> Auth against krb, then if that comes back as a fail, try a secondary
>> Radius server (Eduroam…) or module (Shibboleth).
>
> That's hard.
>
>> We are looking at this as we foresee collisions occurring between
>> accounts residing within other universities and our local guest accounts
>> (which use email address as the principal).
>
> The simple answer is "don't have colliding usernames".
>
> Use email addresses for logins, *especially* for roaming users from
> other universities.
>
> Having colliding usernames is very bad for a number of reasons.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list