1.1.7, ldap and auth-type
Hi I tried to update freeradius from 1.1.6 to 1.1.7 on my 2 servers, but i had great problems: some of the ldap instances i configured do not set auth-type even if they find the user in the ldap directory. Of the ldap instances described below only the macbypass ones do not set Auth-Type, the others 2 do the correct thing: the aaa modules set Auth-Type to the module name while the 802x instances set Auth-Type to eap (since objects in that part of the ldap tree authenticate with eap-mschapv2) What's wrong? did i misconfigured something (but i doubt, since the configuration didn't change between the 2 versions) or i incurred in some kind of bug? This is my setup (only the relevant parts) ldap aaa1 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout =3 timelimit = 5 net_timeout = 5 } ldap aaa2 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout = 3 timelimit = 5 net_timeout = 5 } ldap macbypass1 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn =XXXXXX filter = "(macAddress=%{User-Name})" base_filter = "(objectclass=radiusprofile)" password_attribute = macAddress start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout =3 timelimit = 5 net_timeout = 5 } ldap macbypass2 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXX filter = "(macAddress=%{User-Name})" base_filter = "(objectclass=radiusprofile)" password_attribute = macAddress start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout =3 timelimit = 5 net_timeout = 5 } ldap 8021x1 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout =3 timelimit = 5 net_timeout = 5 } ldap 8021x2 { server = "XXXX.ifom-ieo-campus.it" port = 636 basedn = XXXXXXXX identity = XXXXXXXX password = XXXX start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupmembership_filter = "(memberuid=%{User-Name})" timeout =3 timelimit = 5 net_timeout = 5 } attr_rewrite UserNameNormalize { attribute = User-Name searchin = packet searchfor = "(..)(..)(..)(..)(..)(..)" replacewith = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}" ignore_case = no new_attribute = no max_matches = 10 append = no } preprocess { huntgroups = ${confdir}/huntgroups } files { usersfile = ${confdir}/users } always ok { rcode = ok simulcount = 0 mpp = no } perl { module = "/ofb/freeradius/bin/getVlan.pl" } } authorize { perl UserNameNormalize redundant { macbypass1 macbypass2 } redundant { aaa1 aaa2 } redundant { 8021x1 8021x2 } chap mschap eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type macbypass1 { ok } Auth-Type macbypass2 { ok } Auth-Type aaa1 { aaa1 } Auth-Type aaa2 { aaa2 } Auth-Type 8021x1 { 8021x1 } Auth-Type 8021x2 { 8021x2 } Auth-Type perl { ok } eap } This is the dump of a successful authentication, with version 1.1.6: rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645, id=16, length=167 User-Name = "000a95deba4a" User-Password = "000a95deba4a" Service-Type = Call-Check Framed-MTU = 1520 Called-Station-Id = "00-18-B9-EB-A6-93" Calling-Station-Id = "00-0A-95-DE-BA-4A" Message-Authenticator = 0x43b095f8f280648759c3cea2bf92b2bb NAS-Port-Type = Ethernet NAS-Port = 50017 NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Identifier = "0c13.igp.ifom-ieo-campus.it" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Using perl at 0x66f180 Use of uninitialized value in string eq at /ofb/freeradius/bin/ getVlan.pl line 340, <DATA> line 228. rlm_perl: ___ macAddr=000a95deba4a switch=XXX.XXX.XXX.XXX port=50017 exit-value=SUCCESS vlan=180 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Tunnel-Private-Group-Id = 180 modcall[authorize]: module "perl" returns ok for request 0 radius_xlat: '(..)(..)(..)(..)(..)(..)' radius_xlat: '00:0a:95:de:ba:4a' rlm_attr_rewrite: Changed value for attribute User-Name from '000a95deba4a' to '00:0a:95:de:ba:4a' modcall[authorize]: module "UserNameNormalize" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a radius_xlat: '(macAddress=00:0a:95:de:ba:4a)' radius_xlat: 'ou=Network,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as / to XXXX.ifom-ieo-campus.it:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it, with filter (macAddress=00:0a:95:de:ba:4a) rlm_ldap: Added password 00:0a:95:de:ba:4a in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = macbypass1 rlm_ldap: user 00:0a:95:de:ba:4a authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "macbypass1" returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a radius_xlat: '(uid=00:0a:95:de:ba:4a)' radius_xlat: 'ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as XXXXXXX to XXXX.ifom-ieo-campus.it:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it, with filter (uid=00:0a:95:de:ba:4a) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "aaa1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:0a:95:de:ba:4a radius_xlat: '(uid=00:0a:95:de:ba:4a)' radius_xlat: 'ou=Users,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to XXXX.ifom-ieo-campus.it:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as XXXXXX to XXXX.ifom-ieo-campus.it:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Users,ou=People,ou=Accounts,dc=ifom- ieo-campus,dc=it, with filter (uid=00:0a:95:de:ba:4a) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "8021x1" returns notfound for request 0 modcall: leaving group redundant (returns notfound) for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type macbypass1 auth: type "macbypass1" Processing the authenticate section of radiusd.conf modcall: entering group macbypass1 for request 0 modcall[authenticate]: module "ok" returns ok for request 0 modcall: leaving group macbypass1 (returns ok) for request 0 Sending Access-Accept of id 16 to XXX.XXX.XXX.XXX port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "180" Finished request 0 While this is the dump of a similar request after the upgrade: rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:1645, id=230, length=166 User-Name = "0017f2f52bda" User-Password = "0017f2f52bda" Service-Type = Call-Check Framed-MTU = 1520 Called-Station-Id = "00-18-73-84-4C-95" Calling-Station-Id = "00-17-F2-F5-2B-DA" Message-Authenticator = 0xbf1846c5bbc8ef89556c34df53cddb72 NAS-Port-Type = Ethernet NAS-Port = 50019 NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Identifier = "3a1.igp.ifom-ieo-campus.it" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 Using perl at 0x653fc0 rlm_perl: ___ macAddr=0017f2f52bda switch=XXX.XXX.XXX.XXX port=50019 exit-value=SUCCESS vlan=554 rlm_perl: Added pair Tunnel-Type = VLAN rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 rlm_perl: Added pair Tunnel-Private-Group-Id = 554 modcall[authorize]: module "perl" returns ok for request 4 radius_xlat: '(..)(..)(..)(..)(..)(..)' radius_xlat: '00:17:f2:f5:2b:da' rlm_attr_rewrite: Changed value for attribute User-Name from '0017f2f52bda' to '00:17:f2:f5:2b:da' modcall[authorize]: module "UserNameNormalize" returns ok for request 4 modcall: entering group redundant for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da radius_xlat: '(macAddress=00:17:f2:f5:2b:da)' radius_xlat: 'ou=Network,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it, with filter (macAddress=00:17:f2:f5:2b:da) rlm_ldap: Added password 00:17:f2:f5:2b:da in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user 00:17:f2:f5:2b:da authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "macbypass1" returns ok for request 4 modcall: leaving group redundant (returns ok) for request 4 modcall: entering group redundant for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da radius_xlat: '(uid=00:17:f2:f5:2b:da)' radius_xlat: 'ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Admins,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it, with filter (uid=00:17:f2:f5:2b:da) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "aaa1" returns notfound for request 4 modcall: leaving group redundant (returns notfound) for request 4 modcall: entering group redundant for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for 00:17:f2:f5:2b:da radius_xlat: '(uid=00:17:f2:f5:2b:da)' radius_xlat: 'ou=Users,ou=People,ou=Accounts,dc=ifom-ieo-campus,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Users,ou=People,ou=Accounts,dc=ifom- ieo-campus,dc=it, with filter (uid=00:17:f2:f5:2b:da) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "8021x1" returns notfound for request 4 modcall: leaving group redundant (returns notfound) for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: leaving group authorize (returns ok) for request 4 auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request
On Mon, 2007-08-27 at 12:13 +0200, Ivan Lago wrote:
Hi
I tried to update freeradius from 1.1.6 to 1.1.7 on my 2 servers, but i had great problems: some of the ldap instances i configured do not
Hmm. I thought it defaulted to "on" but try adding: ldap name { ... set_auth_type = yes } ...to your LDAP instances.
I tried to make it explicit, but it did not work. Anyway that parameter is defaulted to yes, as you said, but it's being ignored. Here is a dump of the loading of the module at server startup, without adding the set_auth_type explicitally : ldap: server = "XXXX.ifom-ieo-campus.it" ldap: port = 636 ldap: net_timeout = 5 ldap: timeout = 3 ldap: timelimit = 5 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "XXXXXXXXX" ldap: filter = "(macAddress=%{User-Name})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "macAddress" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member= %{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=% {Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/ofb/freeradius/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes <------------------------------------------ rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute macbypass1-Ldap-Group rlm_ldap: Registering ldap_groupcmp for macbypass1-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name macbypass1 rlm_ldap: reading ldap<->radius mappings from file /ofb/freeradius/ etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling- Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed- Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX- Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination- Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed- AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed- AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed- AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x666400 Module: Instantiated ldap (macbypass1) On Aug 27, 2007, at 12:49 PM, Phil Mayers wrote:
On Mon, 2007-08-27 at 12:13 +0200, Ivan Lago wrote:
Hi
I tried to update freeradius from 1.1.6 to 1.1.7 on my 2 servers, but i had great problems: some of the ldap instances i configured do not
Hmm. I thought it defaulted to "on" but try adding:
ldap name { ... set_auth_type = yes }
...to your LDAP instances.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
On Mon, 2007-08-27 at 13:56 +0200, Ivan Lago wrote:
I tried to make it explicit, but it did not work. Anyway that parameter is defaulted to yes, as you said, but it's being ignored. Here is a dump of the loading of the module at server startup, without adding the set_auth_type explicitally :
Ah, ok, I see what's happening. The reason this has changed is: looking at the 1.1.7 rlm_ldap code, a new "should we set auth-type" check is used: if (inst->set_auth_type && (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) && request->password && (request->password->attribute == PW_USER_PASSWORD) && !added_known_password) { pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ)); DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name); } That is, the module will only set Auth-Type to itself if all of the following are true: * the module is set to do this * there's no auth-type already set * there's a User-Password in the request * the LDAP module didn't add a Cleartext-Password to the config items That last is the problem - from your original mail: rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it, with filter (macAddress=00:17:f2:f5:2b:da) rlm_ldap: Added password 00:17:f2:f5:2b:da in check items So, you've two several options: 1. Update the LDAP directory to contain the correct plaintext password, configure "set_auth_type = no" and add the pap module to authorize and authenticate: authorize { preprocess ...blah redundant { macbypass1 macbypass2 } # MUST go last... pap } authenticate { Auth-Type PAP { pap } ...etc. } 2. Since it's wrong anyway (00:11:22:33:44:55 != 001122334455), either remove the plaintext password from the LDAP directory or remove the "password_attribute" config item from the module instance. Why *are* you copying a "wrong" password from LDAP to the config items? How is the LDAP server authenticating them?
Thanks, i removed the password_attribute and it worked. Anyway i did it because my LDAP directory do not have a password attribute for computer entries, so i wanted to check the mac-address for both user-name and password. Than i didn't go on with this for various reasons (i should have rewritten User-Password too, but this could interfere if a user try to authenticate with a password that casually match the regexp for a mac-address...), and i resorted to authenticate with always_ok if the auth_type is macbypass (i do not expect to have crafted requests in my network anyway...), but that remained in the config file since it never gave problems before 1.1.7 Anyway if you have a better suggestion i am always ready to learn On Aug 27, 2007, at 3:28 PM, Phil Mayers wrote:
2. Since it's wrong anyway (00:11:22:33:44:55 != 001122334455), either remove the plaintext password from the LDAP directory or remove the "password_attribute" config item from the module instance.
Why *are* you copying a "wrong" password from LDAP to the config items? How is the LDAP server authenticating them?
On Mon, 2007-08-27 at 15:50 +0200, Ivan Lago wrote:
Thanks, i removed the password_attribute and it worked. Anyway i did it because my LDAP directory do not have a password attribute for computer entries, so i wanted to check the mac-address for both user-name and password. Than i didn't go on with this for various reasons (i should have rewritten User-Password too, but this could interfere if a user try to authenticate with a password that casually match the regexp for a mac-address...), and i resorted to authenticate with always_ok if the auth_type is macbypass (i do not
Ah, I see.
expect to have crafted requests in my network anyway...), but that remained in the config file since it never gave problems before 1.1.7
What you're doing seems like a reasonable approach. Other options include: something like this in "users" # if username matches mac address regexp, copy username to password DEFAULT User-Name =~ "([a-fA-F0-9]{12})", Cleartext-Password := "%{1}" ...with "pap" in authorize and authenticate. Or to set "Auth-Type := Accept" in a "files" module based on an LDAP group lookup or similar, but since you're using >1 LDAP server, that would be tricky. This is another thing 2.0 would make easier
participants (2)
-
Ivan Lago -
Phil Mayers