chain two authentication modules together

Alexander Clouter alex at digriz.org.uk
Tue Jun 21 00:34:05 CEST 2011


madmatrix <hailumeng at gmail.com> wrote:
> 
> Alexander, one thing I'm still confused here is why we put otp and 
> ldap all in authorization block in freeradius not the authentication?
>
As I'm an idiot.  They should also be present in the authenticate 
section.
 
In authorise, your OTP python method checks to see if it is a valid 
authentication syntax (creating a challenge if necessary) returning 
reject if it it invalid.  It validates and rewrites User-Password to 
contain just the bare password, whilst you can create a custom 
dictionary attribute (for example User-OTP) that is sperately processed 
in authenticate.

So, for example:
----
authorize {
  ...
 
  # User-Password is 'foo bar'

  python-otp

  # User-Password is 'foo'
  # User-OTP is 'bar'

  ldap

  ...
}

authenticate {
  ...

  Auth-Type python-otp {
    otp
    ldap
  }

  ...
}
----

Cheers

-- 
Alexander Clouter
.sigmonster says: Price does not include taxes.




More information about the Freeradius-Users mailing list