On Wed, 2007-08-15 at 15:36 +1000, Stewart James wrote:
What I have realised is that there are 2 ways that authorisation appear to be called for LDAP. One way is to name the LDAP modules in the authorise section. The other way appears to be through the LDAP-Group in the users file and letting the "files" module then call the LDAP module.
Sort of. If you had: authorize { preprocess files other Autz-Type FOO { moduleX } } authenticate { Auth-Type MS-CHAP { mschap } ....etc... } ...the flow is: 1. call "preprocess" 2. call "files" 3. call "other" 4. if an only if Autz-Type is set, do a 2nd pass through the matching Autz-Type stanza 5. Call one and only one module from the authenticate section to execute the authentication algorithm Alan has already hinted at this, but - you will not be able to get the plaintext password out of AD. Your password checking options against AD are limited to precisely two: 1. For PAP, you can authenticate the user by asking the LDAP module to to an LDAP simple bind with the pap username/password 2. For MS-CHAP, you install samba, join the domain, and use the "ntlm_auth" helper binary in the mschap module Which of the two do you want to do, because that will impact the next bit.