I’ve found some old posts about this on the mailing list, but all of those were 10+ years old and using v1 or v2. Further to that, I am using LDAP for authentication (Google doesn’t send passwords). So, in my authorize {} I have set this before pap to set the proper auth method: if (User-Password) { update control { Auth-Type := ldap } } Now I believe that I should just need to add another condition to check for files module returning notfound code, so that it only sets ldap in case the user is not found in files, otherwise it will just go on to pap. Something like if (User-Password && files == notfound) {...} But I can’t find the correct way to do this check. What is the attribute name corresponding to “files module return code” that I should check? I checked man unlang for that, but it only says that I can check for a module return code just after its execution. It doesn’t tell anything about a variable storing each module’s return code. Thanks!
On May 28, 2021, at 7:52 AM, Matteo Raffa <matteo.raf@gmail.com> wrote:
I’ve found some old posts about this on the mailing list, but all of those were 10+ years old and using v1 or v2.
The server doesn't include documentation for every situation. It includes generic "howto" docs, and then suggests that the admin figure out how to put the pieces together. It's not the friendliest of processes, but it's the only one that works. Just look at the sheer variety of questions posted to the list, and ask yourself if any amount of documentation would answer all of those questions.
Further to that, I am using LDAP for authentication (Google doesn’t send passwords).
So, in my authorize {} I have set this before pap to set the proper auth method:
if (User-Password) { update control { Auth-Type := ldap } }
Yes. That should work for Google LDAP. I wish they would update their crappy documentation. It's just... wrong.
Now I believe that I should just need to add another condition to check for files module returning notfound code, so that it only sets ldap in case the user is not found in files, otherwise it will just go on to pap.
Something like if (User-Password && files == notfound) {...}
But I can’t find the correct way to do this check. What is the attribute name corresponding to “files module return code” that I should check?
$ man unlang files if (notfound && User-Password) { ... }
I checked man unlang for that, but it only says that I can check for a module return code just after its execution. It doesn’t tell anything about a variable storing each module’s return code.
It doesn't save a variable for each possible module. That would be an enormous amount of work, and isn't that useful. You can just change the order of the modules in the configuration files. It might be better to explain what you're trying to do, instead of asking "why doesn't the server save each modules return code". i.e. don't ask why a particular solution doesn't work. Explain the problem, and let us suggest a solution that works. Alan DeKok.
It doesn't save a variable for each possible module. That would be an enormous amount of work, and isn't that useful.
Thanks for pointing that out, I wasn’t sure about that as I couldn’t find any reference on man pages.
You can just change the order of the modules in the configuration files.
It might be better to explain what you're trying to do, instead of asking "why doesn't the server save each modules return code".
i.e. don't ask why a particular solution doesn't work. Explain the problem, and let us suggest a solution that works.
I’m sorry, I just put that in the subject and didn’t repeat it in the text. What I want to achieve is quite simple: authenticate with LDAP only in case there’s no corresponding local user available. In the meanwhile I came up with this. I guess in case someone needs to check local users *after* ldap, it’d simply move the files module after ldap and before pap (without the additional condition check on files rcode). Am I right? files if (ok) { pap } -ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap } } pap
Hi Matteo,
First of all, its hard to help you without the debug logs, please https://wiki.freeradius.org/guide/radiusd-X <https://wiki.freeradius.org/guide/radiusd-X>
Other than that, please take a look at https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO... <https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO> if you’re looking for AD or just take a look at /etc/raddb/mods-available/ldap. Then, back to us with some debug output.
Hello Jorge, Thank you, but I already got LDAP authentication working. I am just trying to understand which is the best way to implement this additional “emergency” local auth.
On May 28, 2021, at 10:16 AM, Matteo Raffa <matteo.raf@gmail.com> wrote:
What I want to achieve is quite simple: authenticate with LDAP only in case there’s no corresponding local user available.
That shouldn't be too hard.
In the meanwhile I came up with this. I guess in case someone needs to check local users *after* ldap, it’d simply move the files module after ldap and before pap (without the additional condition check on files rcode). Am I right?
Yes.
files if (ok) { pap }
-ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap } } pap
If it works, sure. Alan DeKok.
"Just look at the sheer variety of questions posted to the list, and ask yourself if any amount of documentation would answer all of those questions." The answer to that is clearly either 1) "Yes, period." or 2) "No, but the volume would be lower and the type of questions would be significantly more interesting." On Fri, May 28, 2021 at 9:22 AM Alan DeKok <aland@deployingradius.com> wrote:
On May 28, 2021, at 10:16 AM, Matteo Raffa <matteo.raf@gmail.com> wrote:
What I want to achieve is quite simple: authenticate with LDAP only in case there’s no corresponding local user available.
That shouldn't be too hard.
In the meanwhile I came up with this. I guess in case someone needs to check local users *after* ldap, it’d simply move the files module after ldap and before pap (without the additional condition check on files rcode). Am I right?
Yes.
files if (ok) { pap }
-ldap if ((ok || updated) && User-Password) { update control { Auth-Type := ldap } } pap
If it works, sure.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28/05/2021 16:18, Anthony Stuckey wrote:
"Just look at the sheer variety of questions posted to the list, and ask yourself if any amount of documentation would answer all of those questions."
The answer to that is clearly either
That's the third time you've made your views clear over the last six weeks. I'd suggest you're either helpful and productive and actually do something to improve what you believe to be so awful, or stop sending e-mails that waste everyone's time. -- Matthew
On May 28, 2021, at 11:18 AM, Anthony Stuckey <anthonystuckey@gmail.com> wrote:
The answer to that is clearly
... put up or shut up. I have zero patience for people who want everyone *else* to do their work for them. It is immoral and unethical to complain when you get something for free. It is immoral and unethical to demand that other people work for free, to make you happy. As you've shown earlier, the problem isn't the documentation. The problem is you. You were unable to use the most basic skills to find the relevant documentation. Instead, you complained that it didn't exist. Well, it did. And in the most logical place: Pointers to Apple documentation about certs were in raddb/certs/README. I asked you "where else should we put it so that you would find it?" Instead of answering, you ran away. Because you would rather kill yourself than contribute something positive. Because you don't want to admit that the reason you couldn't find the documentation was *you*. If you keep complaining, you will be unsubscribed from the list and banned. This list is for people who want to get things done. You clearly don't, so your opinions are not welcome here. Alan DeKok.
Hi Matteo, First of all, its hard to help you without the debug logs, please https://wiki.freeradius.org/guide/radiusd-X <https://wiki.freeradius.org/guide/radiusd-X> Other than that, please take a look at https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HO... <https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO> if you’re looking for AD or just take a look at /etc/raddb/mods-available/ldap. Then, back to us with some debug output. — Jorge Pereira jpereira@freeradius.org
On 28 May 2021, at 08:52, Matteo Raffa <matteo.raf@gmail.com> wrote:
I’ve found some old posts about this on the mailing list, but all of those were 10+ years old and using v1 or v2.
Further to that, I am using LDAP for authentication (Google doesn’t send passwords).
So, in my authorize {} I have set this before pap to set the proper auth method:
if (User-Password) { update control { Auth-Type := ldap } }
Now I believe that I should just need to add another condition to check for files module returning notfound code, so that it only sets ldap in case the user is not found in files, otherwise it will just go on to pap.
Something like if (User-Password && files == notfound) {...}
But I can’t find the correct way to do this check. What is the attribute name corresponding to “files module return code” that I should check?
I checked man unlang for that, but it only says that I can check for a module return code just after its execution. It doesn’t tell anything about a variable storing each module’s return code.
Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan DeKok -
Anthony Stuckey -
Jorge Pereira -
Matteo Raffa -
Matthew Newton