On Jan 9, 2019, at 9:51 AM, Tom Mustaki <tom@mustaki.com> wrote:
Alan, Thank you for the information. sadly i couldn't accomplish it.
What does that mean? What error did you get when you tried my suggestion? Saying "stuff didn't work" is not overly helpful.
i have played a little with the configuration and got it partially working. i noticed a bug, in which, even if radius server is down, access is granted..
Because you told it to do that.
can someone identify the bug for me and explain how to modify the script to correct it? ... authenticate { Auth-Type LDAP { # Attempt authentication with a direct LDAP bind: ldap if (ok) { update request { User-Password := p } update control { Proxy-To-Realm := "proxy-test" }
That won't work. The server EITHER runs the "authenticate" section, OR it proxies. It can't do both.
accept
That's an unconditional "accept the user". Which is why it unconditionally accepts the user. My suggestion should work:
authorize { ... ldap.authenticate # run LDAP bind if (ok) { update control { Proxy-To-Realm := "realm" } } ... }
That will do "bind as user" to authenticate the user, BUT do it in the "authorize" phase. That way, the "authenticate" phase then sees the Proxy-To-Realm, and proxies the packet, instead of doing local authentication. If that doesn't work, say WHY it doesn't work. Show the debug output. Alan DeKok.