Tim Tyler wrote:
Freeradius experts, I want to use one freeradius server to authenticate against a system file for students and against ldap for faculty/staff. I can get the system file to work alone. I can get the ldap module to work alone. But I can't seem to find a way to get both of them to work together. If I set DEFAULT Auth-Type = System in the users file, it authenticates the system files. If I set it to ldap, it authenticates to ldap.
Which is why we recommend not using Auth-Type. Almost everyone uses it wrong.
If I put both in the users file, it authenticates ldap users only.
See "man rlm_users" for why. It's doing what you tell it to do, not what you expect it to do.
How do I allow both unix and ldap modules to authenticate their respective users? Note: users are unique to each module. A user in unix does not exist in ldap and vice versa.
Don't authenticate people via LDAP. LDAP isn't an authentication server. It's a database. Instead, pull the password from LDAP, and let the server decide how the user should be authenticated. You could also set Auth-Type *conditionally*, if the user was in one group or another. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog