Alan DeKok wrote:
I am using sql authentication with mysql successfuly and I want to add second authentication via bash. (if sql authentication fail then check bash authentication)
That's usually bad practice. An authentication reject is a reject. Trying *another* method is usually wrong. Instead, figure out which method is supposed to be used, and use that.
I have separate databases; mysql, ldap and Microsoft SQL so I need multiple authentication. is multiple authentication possible in freeradius? if yes, how?
I added file (bashauth) to module directory
exec bashauth { wait = yes program = "/usr/local/bin/bash /bin/radcheck %{User-Name} %{User-Password}"
Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run radcheck directly?
And that exposes the password to anyone running "ps".
I corrected. Server is single user system no another users exist.
Perhaps you could try setting Auth-Type := bashauth.
Which section must I define this setting? I defined it in users file, DEFAULT Auth-Type := "bashauth" but it overrides mysql authentication. Best Regards, Ahmet Hakan
Ahmet Hakan wrote:
I am new at freeradius (2.1.4)
I'd suggest upgrading, but whatever...
I am using sql authentication with mysql successfuly and I want to add second authentication via bash. (if sql authentication fail then check bash authentication)
That's usually bad practice. An authentication reject is a reject. Trying *another* method is usually wrong. Instead, figure out which method is supposed to be used, and use that.
Also, using the "exec" functionality will slow the server down. Especially under load.
I added file (bashauth) to module directory
exec bashauth { wait = yes program = "/usr/local/bin/bash /bin/radcheck %{User-Name} %{User-Password}"
Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run radcheck directly?
And that exposes the password to anyone running "ps".
then I modified sites-enabled/default
authorize { ... bashouth
Why are you listing it in the "authorize" section?
but I cant authenticate user via bash script
radiusd -X output is below.
[bashauth] expand: %{User-Name} -> a [bashauth] expand: %{User-Password} -> a Exec-Program output: Exec-Program: returned: 0 ++[bashauth] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user.
The above message is fairly clear.
Perhaps you could try setting Auth-Type := bashauth.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html