Freeradius and LDAP : to be continued
Phil Mayers
p.mayers at imperial.ac.uk
Thu Dec 15 15:02:53 CET 2005
Alan DeKok wrote:
> <christophe.gravier at univ-st-etienne.fr> wrote:
>> rlm_ldap: Adding userPassword as User-Password, value { & op=11
>
> That's better.
>
>> modcall: group authorize returns ok for request 0
>> rad_check_password: Found Auth-Type LDAP
>
> Yuck.
>
> My quick answer is to edit rlm_ldap.c to have it *never* set
> Auth-Type to LDAP. That would solve a lot of problems.
Interesting. I mentioned this to another querier the other day:
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html
What then would the authenticate section look like to use LDAP?
Presumably something like:
authenticate {
Auth-Type PAP {
ldap
}
}
...but of course then you get into what happens if you want 2 different
services in the same server, such as:
authenticate {
Auth-Type PAP-service1 {
ldap1
}
Auth-Type PAP-service2 {
ldap2
}
Auth-Type MSCHAP-service1 {
mschap1
}
Auth-Type MSCHAP-service2 {
mschap2
}
}
...etc. - nasty. Is it possible to do:
authenticate {
Huntgroup Service1 {
Auth-Type PAP {
ldap1
}
Auth-Type MSCHAP {
mschap1
}
}
Huntgroup Service2 {
Auth-Type PAP {
ldap2
}
Auth-Type MSCHAP {
mschap2
}
}
}
...although "Realm" might make more sense than "Huntgroup" in
understanding what I mean.
There's also the possibility of wanting to use fallback:
authenticate {
Auth-Type PAP {
ldap
pap
}
}
...although I'm pretty sure you can do that with configurable failover
and the above syntax is wrong.
More information about the Freeradius-Users
mailing list