Different Passwd Files on Different Servers
I'm relatively new to the radius universe and I'd like to ask your help regarding my freeradius concerns. We're trying to configure freeradius to read from different passwd files based on their domains. We have around 20 virtual domains spanning 2 servers. Now my question is two-fold: 1. How will I configure the conf files in order to authenticate different users to different passwd and shadow files based on their domain names? Do I go the configurable failover route? If so, can anyone give me tips or forward me a good link on how to set this up? 2. What is the most elegant way of accessing the passwd files on the second server? Should I set up another radius server on the second box and pass on the request? Or is there a better alternative. Thank you very much for any help you might be able to pass along. Barok Beronilla
Bryan Beronilla <bberonilla@gmail.com> wrote:
1. How will I configure the conf files in order to authenticate different users to different passwd and shadow files based on their domain names?
You don't. You configure the "passwd" module to read passwords from the different files. The server will then use the password to authenticate the user. To select which passwd module to use, and which passwd file to read, see doc/Autz-Type.
2. What is the most elegant way of accessing the passwd files on the second server? Should I set up another radius server on the second box and pass on the request? Or is there a better alternative.
I would suggest copying the passwd files between the servers, unless there's some other interaction I'm not aware of. Alan DeKok.
On 7/20/05, Alan DeKok <aland@ox.org> wrote:
Bryan Beronilla <bberonilla@gmail.com> wrote:
1. How will I configure the conf files in order to authenticate different users to different passwd and shadow files based on their domain names?
You don't. You configure the "passwd" module to read passwords from the different files. The server will then use the password to authenticate the user.
To select which passwd module to use, and which passwd file to read, see doc/Autz-Type.
I've tried using Autz-Tye but I can't seem to quite make it work. I'm getting this erro: No authenticate method (Auth-Type) configuration found for the request. I'm not sure where this should be set. I've defined the passwd modules in in the modules subsection: passwd sys_passwd { filename = /etc/passwd format = "*User-Name::LM-Password" authtype = MS-CHAP } # Added by Barok for alternate password passwd virtual_passwd { filename = /home/virtual/domain.com/etc/passwd format = "*User-Name::LM-Password" authtype = MS-CHAP } And I've inserted this int he users file: DEFAULT Realm == "domain.com" Autz-Type := virtual_passwd, Auth-Type := unix, Fall-Through = 1 DEFAULT Realm == "NULL" Autz-Type := sys_passwd, Auth-Type := unix Added this to authorize: Autz-Type domain.com{ virtual_passwd } Autz-Type NULL{ sys_passwd } And this to the authenticate portion: Auth-Type domain.com{ unix } Auth-Type NULL{ unix } I tried to follow the doc file mentioned but I can't seem to make it work. I apologize if this might be a basic question that should be obvious to me by now. I have only started using radius past two weeks.
2. What is the most elegant way of accessing the passwd files on the second server? Should I set up another radius server on the second box and pass on the request? Or is there a better alternative.
I would suggest copying the passwd files between the servers, unless there's some other interaction I'm not aware of.
This might not be an option we can consider. The users are dynamically created, so a copy-and-paste-passwd-files solution would not be practical. What other solutions exists? We're considering proxying off to another radius on the 2nd box, or to go the NFS route...
Alan DeKok.
Thank you very much for your patience.
I've tried using Autz-Tye but I can't seem to quite make it work. I'm getting this erro: No authenticate method (Auth-Type) configuration found for the request. I'm not sure where this should be set.
And I've inserted this int he users file: DEFAULT Realm == "domain.com" Autz-Type := virtual_passwd, Auth-Type := unix, Fall-Through = 1
DEFAULT Realm == "NULL" Autz-Type := sys_passwd, Auth-Type := unix
This users file entries are invalid. Read man 5 users. All check-items, go on the first line. Try this (I shorted virtual_passwd to make sure you saw it on one line) DEFAULT Realm == "domain.com", Autz-Type := virt, Auth-Type := unix Fall-Through = no Same for the last one.
Bryan Beronilla <bberonilla@gmail.com> wrote:
# Added by Barok for alternate password passwd virtual_passwd { filename = /home/virtual/domain.com/etc/passwd format = "*User-Name::LM-Password" authtype = MS-CHAP
...
DEFAULT Realm == "domain.com" Autz-Type := virtual_passwd, Auth-Type := unix,
I'll echo the previous response that this format is wrong. But there's another problem, too. You've set Auth-Type TWICE. Once via the "passwd" module, to MS-CHAP, and once via the "users" file to "unix". Now, unless your unix is very different than every other one I've seen, it won't know what to do with the LM-Password read from /home/virtual/domain.com/etc/passwd, and it won't know what to do with any MS-CHAP request. Don't set Auth-Type to "unix". It's completely wrong. Alan DeKok.
On 7/22/05, Alan DeKok <aland@ox.org> wrote:
Bryan Beronilla <bberonilla@gmail.com> wrote:
# Added by Barok for alternate password passwd virtual_passwd { filename = /home/virtual/domain.com/etc/passwd format = "*User-Name::LM-Password" authtype = MS-CHAP
...
DEFAULT Realm == "domain.com" Autz-Type := virtual_passwd, Auth-Type := unix,
I'll echo the previous response that this format is wrong.
But there's another problem, too. You've set Auth-Type TWICE. Once via the "passwd" module, to MS-CHAP, and once via the "users" file to "unix".
Now, unless your unix is very different than every other one I've seen, it won't know what to do with the LM-Password read from /home/virtual/domain.com/etc/passwd, and it won't know what to do with any MS-CHAP request.
Don't set Auth-Type to "unix". It's completely wrong.
Alan DeKok.
Still getting the errors I got before about not setting an auth type. Where should the auth type be set? I've tried the config Dusty mentioned but still getting me nowhere...
Bryan Beronilla <bberonilla@gmail.com> wrote:
Still getting the errors I got before about not setting an auth type. Where should the auth type be set?
The server figures it out.
I've tried the config Dusty mentioned but still getting me nowhere...
Try one thing at a time. The default config works. You can start from there, and add new features one by one. Alan DeKok.
participants (3)
-
Alan DeKok -
Bryan Beronilla -
Dusty Doris