Mixed-mode authentication enviornment

Daniel Corbe daniel.junkmail at gmail.com
Thu Sep 8 23:50:03 CEST 2005 

So that worked, group authentication.  Thank you for pointing me in
the right direction.

BTW I do know how RADIUS and LDAP work.  I'm not new to the
technology, just FreeRADIUS in general.

Thanks again.

-Daniel

On 9/8/05, Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> I see where I err in my ways.  I'm setting the Auth-Type to LDAP
> specifically in the users file as I have a Fall-Through configured:
> 
> DEFAULT Auth-Type := LDAP
>         Fall-Through = 1
> 
> and the ldap_howto suggests using LDAP groups instead.
> 
> I'm going to go back and set this up "the right way" instead of "the wrong way"
> 
> -Daniel
> 
> 
> On 9/8/05, Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> > I didn't pull this configuration file out of my ass.  I *AM* using
> > default configs.
> >
> > More to follow...
> >
> > On 9/8/05, Alan DeKok <aland at ox.org> wrote:
> > > Daniel Corbe <daniel.junkmail at gmail.com> wrote:
> > > > I'm not sure I understand why my approach is so incorrect.  If I am
> > > > wrong, please explain it to me.
> > >
> > >   I would suggest reading the existing samples and documentation for
> > > how to configure the server.  They explain the correct way to do
> > > things.  The number of incorrect ways to do things is almost infinite.
> > >
> > > > My understanding is we've AUTHORIZED the request by pulling the
> > > > password information off of the LDAP server and storing it in memory.
> > >
> > >   Yes.
> > >
> > > > Then (according to my understanding of the radiusd.conf) in the
> > > > authenticate {} block, we pick which modules in order will do the
> > > > AUTHENTICATION part of the AAA session.  One of the two modules will
> > > > always fail.
> > >
> > >   If, and ONLY if, you list BOTH modules in an "Auth-Type {}" section
> > > in "authenticate".
> > >
> > >   The solution is DON'T DO THAT.
> > >
> > >   List them separately, as shown in the default config.
> > >
> > >   Again, I'm a little surprised that this is so hard to configure,
> > > given that the default config shows how to do it.  It takes additional
> > > effort to create a different configuration, which will then not work.
> > >
> > > > We first try the digest module and get this:
> > > >   Processing the authenticate section of radiusd.conf
> > > > modcall: entering group Auth-Type for request 1
> > > > ERROR: No Digest-Nonce: Cannot perform Digest authentication
> > > >   modcall[authenticate]: module "digest" returns invalid for request 1
> > > >
> > > > Then we move on to the next section of the Auth-Type LDAP
> > > > configuration section of the authenticate {} block, and allow the LDAP
> > > > module to take a crack at it and thus we have a sucessful
> > > > authentication:
> > >
> > >   Yes.  Your configuration seems to work, but it's inefficient and
> > > unnecessary.  Rather that following the existing examples, you appear
> > > to have randomly added hacks until it "works", with little
> > > understanding of how the server is supposed to be configured.
> > >
> > >   Please, use the default configuration where possible.  It works, and
> > > it was designed by people who understand LDAP, digest, and the server.
> > > Your hacks may appear to work, but they are based on misunderstandings
> > > and confusion.  They WILL NOT be maintainable by you, or anyone else
> > > going into the future.
> > >
> > >   Alan DeKok.
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> > >
> >
>

More information about the Freeradius-Users mailing list