Mixed-mode authentication enviornment

Daniel Corbe daniel.junkmail at gmail.com
Thu Sep 8 23:14:07 CEST 2005


I see where I err in my ways.  I'm setting the Auth-Type to LDAP
specifically in the users file as I have a Fall-Through configured:

DEFAULT Auth-Type := LDAP
        Fall-Through = 1

and the ldap_howto suggests using LDAP groups instead.

I'm going to go back and set this up "the right way" instead of "the wrong way"

-Daniel


On 9/8/05, Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> I didn't pull this configuration file out of my ass.  I *AM* using
> default configs.
> 
> More to follow...
> 
> On 9/8/05, Alan DeKok <aland at ox.org> wrote:
> > Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> > > I'm not sure I understand why my approach is so incorrect.  If I am
> > > wrong, please explain it to me.
> >
> >   I would suggest reading the existing samples and documentation for
> > how to configure the server.  They explain the correct way to do
> > things.  The number of incorrect ways to do things is almost infinite.
> >
> > > My understanding is we've AUTHORIZED the request by pulling the
> > > password information off of the LDAP server and storing it in memory.
> >
> >   Yes.
> >
> > > Then (according to my understanding of the radiusd.conf) in the
> > > authenticate {} block, we pick which modules in order will do the
> > > AUTHENTICATION part of the AAA session.  One of the two modules will
> > > always fail.
> >
> >   If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section
> > in "authenticate".
> >
> >   The solution is DON'T DO THAT.
> >
> >   List them separately, as shown in the default config.
> >
> >   Again, I'm a little surprised that this is so hard to configure,
> > given that the default config shows how to do it.  It takes additional
> > effort to create a different configuration, which will then not work.
> >
> > > We first try the digest module and get this:
> > >   Processing the authenticate section of radiusd.conf
> > > modcall: entering group Auth-Type for request 1
> > > ERROR: No Digest-Nonce: Cannot perform Digest authentication
> > >   modcall[authenticate]: module "digest" returns invalid for request 1
> > >
> > > Then we move on to the next section of the Auth-Type LDAP
> > > configuration section of the authenticate {} block, and allow the LDAP
> > > module to take a crack at it and thus we have a sucessful
> > > authentication:
> >
> >   Yes.  Your configuration seems to work, but it's inefficient and
> > unnecessary.  Rather that following the existing examples, you appear
> > to have randomly added hacks until it "works", with little
> > understanding of how the server is supposed to be configured.
> >
> >   Please, use the default configuration where possible.  It works, and
> > it was designed by people who understand LDAP, digest, and the server.
> > Your hacks may appear to work, but they are based on misunderstandings
> > and confusion.  They WILL NOT be maintainable by you, or anyone else
> > going into the future.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>




More information about the Freeradius-Users mailing list