LDAP Module only for Authorization and not for Authentication
Hallo, I have Freeradius 1.1.7 and use it to check user and password with pam module. The pam module uses pam_afs.so library to check in the kerberos IV server. I want to keep this configuration but additionaly to make a check for groups in LDAP. Something like: 1. Authorize Huntgroup-Name== xxx, Ldap-Group==xxx.... 2. Authenticate user + password through pam Can I do authorization with LDAP and then authenticate with pam? Then I don't want to provide any passwords in LDAP. Thay must stay in the kerberos IV server. When I use a remote LDAP-Server, should I configure some special modules during the installation of radius? Thanks. Regards Irina
HRZ Konten wrote:
I have Freeradius 1.1.7 and use it to check user and password with pam module.
I would suggest upgrading to 2.0.4.
The pam module uses pam_afs.so library to check in the kerberos IV server. I want to keep this configuration but additionaly to make a check for groups in LDAP. Something like: 1. Authorize Huntgroup-Name== xxx, Ldap-Group==xxx.... 2. Authenticate user + password through pam
Can I do authorization with LDAP and then authenticate with pam?
Yes. But I'm not sure what you mean by that. If you check the LDAP group, what do want to do with the result? Reject users NOT in an LDAP group? Please explain.
When I use a remote LDAP-Server, should I configure some special modules during the installation of radius?
You will need the rlm_ldap module. It depends on the OpenLDAP development libraries and headers. Alan DeKok.
1. Authorize Huntgroup-Name== xxx, Ldap-Group==xxx.... 2. Authenticate user + password through pam
Can I do authorization with LDAP and then authenticate with pam?
Yes. But I'm not sure what you mean by that. If you check the LDAP group, what do want to do with the result? Reject users NOT in an LDAP group? Please explain.
I want when requests are comming from the IP in the huntgroup, then to be checked whether the user is in the LDAP-Group, when yes, then check user/password with pam and send Accecc-Accept. When the user isn't in the LDAP-Group, then should be rejected.
HRZ Konten wrote:
I want when requests are comming from the IP in the huntgroup, then to be checked whether the user is in the LDAP-Group, when yes, then check user/password with pam and send Accecc-Accept. When the user isn't in the LDAP-Group, then should be rejected.
Put this in the "users" file. It's pretty much what you had... DEFAULT Huntgroup-Name == "foo", LDAP-Group == "bar", Auth-Type := PAM And repeat for different huntgroups && ldap groups. Any users NOT found will automatically be rejected. Alan DeKok.
participants (2)
-
Alan DeKok -
HRZ Konten