Hi Phil, Thanks for the pointers. I was attempting to use ntlm_auth to ensure the account actually existed for the authorization section. And then again in the authentication section to ensure the user name and password match. Is there a better way to check for authorization against AD? Cheers, Harry On Wed, 2010-10-13 at 14:56 +0100, Phil Mayers wrote:
On 13/10/10 14:40, Harry Hoffman wrote:
Hi Alan,
Thanks for the help! This works well and lessens the confusion on my part.
I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using
That's a feature of the "ldap" module; if it is a "named" module it sets the Auth-Type to that name (otherwise using "LDAP")
ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK.
The (confusingly named) "ntlm_auth" module is actually a copy of the "exec" module which checks PAP requests; it does not have that feature. You are also using it wrong, by running it in the "authorize" section.
You want something like:
authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { update control { Auth-Type := PAP-ntdom } } }
authenticate { Auth-Type ldap_siteone { ldap_siteone } Auth-Type PAP-ntdom { ntlm_auth } }
I guess the other alternative is:
authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { ntlm_auth if (ok) { update control { Auth-Type := PAP-ntdom } } } }
...but maybe it's not really what you should be doing; "authenticate" should happen after "authorize" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html