Check local before LDAP Authentication

Alan DeKok aland at deployingradius.com
Fri May 28 15:24:32 CEST 2021 

On May 28, 2021, at 7:52 AM, Matteo Raffa <matteo.raf at gmail.com> wrote:
> I’ve found some old posts about this on the mailing list, but all of those were 10+ years old and using v1 or v2.

  The server doesn't include documentation for every situation.  It includes generic "howto" docs, and then suggests that the admin figure out how to put the pieces together.

  It's not the friendliest of processes, but it's the only one that works.  Just look at the sheer variety of questions posted to the list, and ask yourself if any amount of documentation would answer all of those questions.

> Further to that, I am using LDAP for authentication (Google doesn’t send passwords).
> 
> So, in my authorize {} I have set this before pap to set the proper auth method:
> 
> if (User-Password) {
>    	update control {
>        	Auth-Type := ldap
>    	}
> }

  Yes.  That should work for Google LDAP.

  I wish they would update their crappy documentation.  It's just... wrong.

> Now I believe that I should just need to add another condition to check for files module returning notfound code, so that it only sets ldap in case the user is not found in files, otherwise it will just go on to pap.
> 
> Something like 
> if (User-Password && files == notfound) {...}
> 
> But I can’t find the correct way to do this check. What is the attribute name corresponding to “files module return code” that I should check?

$ man unlang

	files
	if (notfound && User-Password) {
		...
	}

> I checked man unlang for that, but it only says that I can check for a module return code just after its execution.
> It doesn’t tell anything about a variable storing each module’s return code.

  It doesn't save a variable for each possible module.  That would be an enormous amount of work, and isn't that useful.

  You can just change the order of the modules in the configuration files.

  It might be better to explain what you're trying to do, instead of asking "why doesn't the server save each modules return code".

  i.e. don't ask why a particular solution doesn't work.  Explain the problem, and let us suggest a solution that works.

  Alan DeKok.

More information about the Freeradius-Users mailing list