Hi everybody, I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the authorize section to check the user credential with an sql database. This configuration works. But I want to know and how to do that if it's possible, if the user isn't the sql database, can freeradius check another database, like an ldap database. So when the user is in the sql database he gain access, if not he look in a ldap database and if he are present with valid credential, he gain access. Here my current authorize and authentification section : authorize { preprocess chap mschap unix suffix sql eap expiration logintime pap } authenticate { ntlm_auth Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } ---------------------------- Guillaume Chartrand Technicien informatique Cégep régional de Lanaudière Centre administratif, Repentigny (450) 470-0911 poste 7218
Guillaume Chartrand wrote:
I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the authorize section to check the user credential with an sql database. This configuration works. But I want to know and how to do that if it's possible, if the user isn't the sql database, can freeradius check another database, like an ldap database. So when the user is in the sql database he gain access, if not he look in a ldap database and if he are present with valid credential, he gain access.
Yes. ... sql if (notfound) { ldap } See "man unlang". Alan DeKok.
Guillaume Chartrand wrote:
I use freeradius 2.0.0 on red hat enterprise 3 AS and I set the authorize section to check the user credential with an >sql database. This configuration works. But I want to know and how to do that if it's possible, if the user isn't the sql database, can freeradius check >another database, like an ldap database. So when the user is in the sql database he gain access, if not he look in a >ldap database and if he are present with valid credential, he gain access.
Yes.
... sql if (notfound) { ldap }
See "man unlang".
Alan DeKok. I write the if in my authorize section.. here some of my config in site-enabled/default authorize { preprocess chap mschap unix suffix sql if (notfound) { ntlm_auth } eap expiration logintime pap } authenticate {
ntlm_auth Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } And here is my radiusd.conf modules { exec ntlm_auth { wait = no program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-intranet} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } $INCLUDE eap.conf mschap { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-intranet} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } } If I comment in the mschap module the ntlm_auth and the user is present in sql, he's accepted. If he's not in sql but in my Active directory database, he's rejected If I comment out the ntlm_auth line, my sql user is rejected but my AD user was accepted. So Where I'm wrong, I want to use both authorize database. Thank
participants (2)
-
Alan DeKok -
Guillaume Chartrand