Hello, I need to ask, even though I think this may be impossible. Is there a way to have groups of modules with failover in "authenticate"? The documentation does seem to be pretty explicit agains it: "authenticate{...}" itself is not a GROUP, even though it contains a list of Auth-Type GROUPs, because its semantics are totally different - it uses Auth-Type to decide which of its members to call, and their order is irrelevant. The reason I am asking is that I am trying to achieve something like a local cache of NT hashes (in redis) with failover to active directory. The idea is that getting the local hash from redis is much faster, but it may be outdated. So if the authentication fails, I'd like to try again using ntlm_auth (or the winbind libraries if possible). If both authentication attempts fail, then the user is rejected. This is something of a harebrained experiment around the performance limitations of Active-Directory. Feel free to tell me it's a bad idea. It probably is... Regards, -- Louis Munro lmunro@inverse.ca <mailto:lmunro@inverse.ca> :: www.inverse.ca <http://www.inverse.ca/> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
On Sep 8, 2016, at 10:40 AM, Louis Munro <lmunro@inverse.ca> wrote:
Is there a way to have groups of modules with failover in "authenticate"?
authenticate { ... Auth-Type foo { redundant { pap1 pap2 pap3 } } ... } That works.
The documentation does seem to be pretty explicit agains it: "authenticate{...}" itself is not a GROUP, even though it contains a list of Auth-Type GROUPs, because its semantics are totally different - it uses Auth-Type to decide which of its members to call, and their order is irrelevant.
The Auth-Type subsection is a group.
The reason I am asking is that I am trying to achieve something like a local cache of NT hashes (in redis) with failover to active directory. The idea is that getting the local hash from redis is much faster, but it may be outdated.
Sure.
So if the authentication fails, I'd like to try again using ntlm_auth (or the winbind libraries if possible). If both authentication attempts fail, then the user is rejected.
This is something of a harebrained experiment around the performance limitations of Active-Directory. Feel free to tell me it's a bad idea. It probably is...
If it works... And yes, Active Directory is one of the slowest LDAP servers around. NTLM is even worse. It's just terrible. Alan DeKok.
Hi,
authenticate { ... Auth-Type foo { redundant { pap1 pap2 pap3 } }
... }
...and the other, documented too, method is to alter the reject value and fail through to the next method, as documented in this guide: http://wiki.freeradius.org/guide/Combining%20authentication%20of%20AD%20acco... and here: http://wiki.freeradius.org/config/Fail%20over alan
On Sep 8, 2016, at 1:04 PM, A.L.M.Buxey@lboro.ac.uk wrote:
...and the other, documented too, method is to alter the reject value and fail through to the next method, as documented in this guide:
http://wiki.freeradius.org/guide/Combining%20authentication%20of%20AD%20acco...
and here:
Ahh, I knew I was missing something. Thank you both. That will do nicely. -- Louis Munro lmunro@inverse.ca <mailto:lmunro@inverse.ca> :: www.inverse.ca <http://www.inverse.ca/> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and PacketFence (www.packetfence.org <http://www.packetfence.org/>)
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Louis Munro