ldap authorization request in a post_proxy section?
Hi, How should i call the ldap module in the post_proxy section (in Freeradius v1 or v2...)? It should perhaps be easier to ask a single question rather than in my long request posted yesterday...;o) In Freeradius v1, i can merge in an access-accept response radius attribute to a proxy reply. radiusd.conf ------------ ... authorize { ... suffix ldap ... } post_proxy { eap } ... proxy.conf ---------- proxy server { ... # # Older versions of the server would pass proxy requests through the # 'authorize' sections twice; once when the packet was received # from the NAS, and again after the reply was received from the home # server. Now that we have a 'post_proxy' section, the replies from # the home server should be sent through that, instead of through # the 'authorize' section again. # # However, for backwards compatibility, this behaviour is configurable. # The default configuration is 'yes', for backwards compatibility. # To use ONLY the new 'post_proxy' section, set this value to 'no'. # post_proxy_authorize = yes ... } realm otp { type = radius authhost = myproxyradius:1812 secret = xxxxxxx } And it works because it parses twice the authorization section (as i seemed to understand, sorry i'm french ;o))...a thing that doesn't happen in v2.x... Rgds Paul -- ============================ Paul TAVERNIER Equipe Reseaux-Securite Division Informatique Rectorat de ROUEN
How should i call the ldap module in the post_proxy section (in Freeradius v1 or v2...)?
It should perhaps be easier to ask a single question rather than in my long request posted yesterday...;o)
In Freeradius v1, i can merge in an access-accept response radius attribute to a proxy reply.
radiusd.conf ------------ .... authorize { ... suffix ldap ... }
post_proxy { eap } ....
proxy.conf ---------- proxy server { ... # # Older versions of the server would pass proxy requests through the # 'authorize' sections twice; once when the packet was received # from the NAS, and again after the reply was received from the home # server. Now that we have a 'post_proxy' section, the replies from # the home server should be sent through that, instead of through # the 'authorize' section again. # # However, for backwards compatibility, this behaviour is configurable. # The default configuration is 'yes', for backwards compatibility. # To use ONLY the new 'post_proxy' section, set this value to 'no'. # post_proxy_authorize = yes ... }
realm otp { type = radius authhost = myproxyradius:1812 secret = xxxxxxx }
And it works because it parses twice the authorization section (as i seemed to understand, sorry i'm french ;o))...a thing that doesn't happen in v2.x...
I think you should list authorize.ldap to execute ldap from authorize section. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Paul TAVERNIER -
tnt@kalik.net