On Feb 13, 2020, at 5:11 AM, Bill Noyce <billnoyce75@gmail.com> wrote:
Your advise was spot on. I moved/added the ldap.authenticate so that both steps use the Proxy-To-Realm and this meant the correct Access-Challenge response is sent during the first step.
Goos to hear.
if (!State) { if (&User-Password) { # If !State and User-Password (PAP), then force LDAP: update control { Ldap-UserDN := "%{User-Name}@my-domain.com" Auth-Type := LDAP
You don't need "Auth-Type := LDAP" here. It can be deleted.
} ldap.authenticate if (!ok) { reject } } else { reject } } update control { Proxy-To-Realm := "proxy-test" }
I kept 2 rejects for both a missing User-Password and an invalid LDAP bind. the Proxy-To-Realm always fires off.
Good! FreeRADIUS can do almost anything. :) Alan DeKok.