Behaviour of multiple sequenced authorization modules ?
I would like to have multiple authorization modules invoked and then reject if ANY do NOT authorize ? For instance.. authorize { ldap1 ldap2 } It appears if just one returns OK, then the subsequent authentication works. BTW.. The subsequent authentication is actually a PEAP/MSCHAPV2... Therefore, the ldap modules are ONLY used for authorization... Is there somewhere that discusses the various options on how to control the behaviour when multiple authorization modules are involved ? Thanks, Robert Robert Roll Computer Professiona University of Utah Robert.Roll@utah.edu
I'm a little new to freeradius.. Hmm.. I guess I made the assumption that a user notfound would actually imply no authorization ? That doesn't seem to be the case ? So, I did the following... authorize { ldap1 { notfound = reject } ldap2 ( notfound = reject } } is this the correct way to do this ? Thanks, Robert ________________________________________ From: freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org] On Behalf Of Robert Roll [Robert.Roll@utah.edu] Sent: Monday, March 21, 2011 4:23 PM To: FreeRadius users mailing list Subject: Behaviour of multiple sequenced authorization modules ? I would like to have multiple authorization modules invoked and then reject if ANY do NOT authorize ? For instance.. authorize { ldap1 ldap2 } It appears if just one returns OK, then the subsequent authentication works. BTW.. The subsequent authentication is actually a PEAP/MSCHAPV2... Therefore, the ldap modules are ONLY used for authorization... Is there somewhere that discusses the various options on how to control the behaviour when multiple authorization modules are involved ? Thanks, Robert Robert Roll Computer Professiona University of Utah Robert.Roll@utah.edu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robert Roll wrote:
I'm a little new to freeradius.. Hmm.. I guess I made the assumption that a user notfound would actually imply no authorization ? That doesn't seem to be the case ?
No. "notfound" means that the user wasn't found. Some systems have multiple sources for users, so "notfound" is a fixable problem.
So, I did the following... ... is this the correct way to do this ?
Yes. Alan DeKok.
participants (2)
-
Alan DeKok -
Robert Roll