Freeradius and LDAP : to be continued

Seferovic Edvin edvin.seferovic at kolp.at
Thu Dec 15 16:15:07 CET 2005 

Hello,

I must admit, I have been reading this thread, but I still do not understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory.. 

Please correct me...

Regards,

Edvin

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued

Phil Mayers wrote:

> Alan DeKok wrote:
>
>> <christophe.gravier at univ-st-etienne.fr> wrote:
>>
>>> rlm_ldap: Adding userPassword as User-Password, value { & op=11
>>
>>
>>   That's better.
>>
>>> modcall: group authorize returns ok for request 0
>>>   rad_check_password:  Found Auth-Type LDAP
>>
>>
>>   Yuck.
>>
>>   My quick answer is to edit rlm_ldap.c to have it *never* set
>> Auth-Type to LDAP.  That would solve a lot of problems.
>
>
> Interesting. I mentioned this to another querier the other day:
>
>
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.
html 
>


Argggg. You lost me.

Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without 
hacking it :-/

>
> What then would the authenticate section look like to use LDAP? 
> Presumably something like:
>
> authenticate {
>   Auth-Type PAP {
>     ldap
>   }
> }
>
> ...but of course then you get into what happens if you want 2 
> different services in the same server, such as:
>
> authenticate {
>   Auth-Type PAP-service1 {
>     ldap1
>   }
>   Auth-Type PAP-service2 {
>     ldap2
>   }
>   Auth-Type MSCHAP-service1 {
>     mschap1
>   }
>   Auth-Type MSCHAP-service2 {
>     mschap2
>   }
> }
>
> ...etc. - nasty. Is it possible to do:
>
> authenticate {
>   Huntgroup Service1 {
>     Auth-Type PAP {
>       ldap1
>     }
>     Auth-Type MSCHAP {
>       mschap1
>     }
>   }
>
>   Huntgroup Service2 {
>     Auth-Type PAP {
>       ldap2
>     }
>     Auth-Type MSCHAP {
>       mschap2
>     }
>   }
> }
>
> ...although "Realm" might make more sense than "Huntgroup" in 
> understanding what I mean.
>
> There's also the possibility of wanting to use fallback:
>
> authenticate {
>   Auth-Type PAP {
>     ldap
>     pap
>   }
> }
>
> ...although I'm pretty sure you can do that with configurable failover 
> and the above syntax is wrong.
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>


-- 
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list