Freeradius and LDAP : to be continued

Christophe Gravier christophe.gravier at univ-st-etienne.fr
Thu Dec 15 16:04:52 CET 2005


Phil Mayers wrote:

> Alan DeKok wrote:
>
>> <christophe.gravier at univ-st-etienne.fr> wrote:
>>
>>> rlm_ldap: Adding userPassword as User-Password, value { & op=11
>>
>>
>>   That's better.
>>
>>> modcall: group authorize returns ok for request 0
>>>   rad_check_password:  Found Auth-Type LDAP
>>
>>
>>   Yuck.
>>
>>   My quick answer is to edit rlm_ldap.c to have it *never* set
>> Auth-Type to LDAP.  That would solve a lot of problems.
>
>
> Interesting. I mentioned this to another querier the other day:
>
> http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html 
>


Argggg. You lost me.

Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without 
hacking it :-/

>
> What then would the authenticate section look like to use LDAP? 
> Presumably something like:
>
> authenticate {
>   Auth-Type PAP {
>     ldap
>   }
> }
>
> ...but of course then you get into what happens if you want 2 
> different services in the same server, such as:
>
> authenticate {
>   Auth-Type PAP-service1 {
>     ldap1
>   }
>   Auth-Type PAP-service2 {
>     ldap2
>   }
>   Auth-Type MSCHAP-service1 {
>     mschap1
>   }
>   Auth-Type MSCHAP-service2 {
>     mschap2
>   }
> }
>
> ...etc. - nasty. Is it possible to do:
>
> authenticate {
>   Huntgroup Service1 {
>     Auth-Type PAP {
>       ldap1
>     }
>     Auth-Type MSCHAP {
>       mschap1
>     }
>   }
>
>   Huntgroup Service2 {
>     Auth-Type PAP {
>       ldap2
>     }
>     Auth-Type MSCHAP {
>       mschap2
>     }
>   }
> }
>
> ...although "Realm" might make more sense than "Huntgroup" in 
> understanding what I mean.
>
> There's also the possibility of wanting to use fallback:
>
> authenticate {
>   Auth-Type PAP {
>     ldap
>     pap
>   }
> }
>
> ...although I'm pretty sure you can do that with configurable failover 
> and the above syntax is wrong.
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>


-- 
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html




More information about the Freeradius-Users mailing list