"Alan DeKok" <aland@deployingradius.com> wrote in message news:47982BF4.7090801@deployingradius.com...
Markus Moeller wrote:
I am new to freeradius and try to authenticate users with pam and authorize with ldap groups. I try to find a minimal configuration but have some problems forcing the Auth-Type to be PAM.
You are aware that this will make EAP and many other authentication methods impossible?
That is not my requirement right now
...
authorize { auth_log ldap }
You can add the following just after ldap:
update control { Auth-Type := PAM }
Only if I set set_auth_type = yes in radiusd.conf for ldap and change authorize in default to: Auth-Type LDAP { pam }
That was the only way I could get it to work. If I use update control anybody can login, whereas in my setup only a user who exits in ldap get AUth-Type set to LDAP all other users have an empty value and therefore can not authenticate.
Please don't do that.
Is there also a way to disable the use of the ldap.attribute mapping as I really don't need it ?
You'll have to edit the source code.
I have changed my setup to use files and a users file together with a "private" radius attribute mapped to an ldap entry. e.g. dictionary has: Attribute user-location 3000 string ldap.attrmap: checkitem user-location office-address in users I have DEFAULT user-location == "LDN", Auth-Type := Reject Reply-message = "You are not allowed to login" DEFAULT AUTH-Type := PAM in site-enabled/default I have Authorize { ldap files } authenticate { pam } Unfortunatly that does not work as I never hit the first default statement in users despite having a user-location of LDN. What do I do wrong here ? How can I use an ldap query result to deny/allow access ?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Markus