Hi Larry, I am doing this same thing... I've modified the PAP and LDAP sections, in /etc/raddb/sites-enabled/{default,inner-tunnel}, to do this and it works well. authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { #pap group{ pap{ reject = 1 ok = return } ntlm_auth{ reject = 1 ok = return } } } ... I do the same for Auth-Type LDAP. Hope this helps. Cheers, Harry On 02/08/2010 09:42 PM, Alan DeKok wrote:
Larry Ross wrote:
I am looking at configuring FR to Auth accounts across multiple account directories. Basically I would like FR to take in PAP queries, attempt Auth against krb, then if that comes back as a fail, try a secondary Radius server (Eduroam…) or module (Shibboleth).
That's hard.
We are looking at this as we foresee collisions occurring between accounts residing within other universities and our local guest accounts (which use email address as the principal).
The simple answer is "don't have colliding usernames".
Use email addresses for logins, *especially* for roaming users from other universities.
Having colliding usernames is very bad for a number of reasons.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html