MAC authorisation (but not authentication) via LDAP
Markus Krause
krause at biochem.mpg.de
Sun Feb 25 15:13:39 CET 2007
Zitat von Phil Mayers <p.mayers at imperial.ac.uk>:
> Markus Krause wrote:
>
>> i am not sure if your approach could really fullfill my needs (no
>> redundancy, serving different types of "requests") ... but i would
>> really like to know ;-)
>
> Hmm.
>
> Without more details it's difficult to say, but what you need does not
> sound excessively difficult. At most, Autz-Type should suffice. Why are
> you finding you need to set Auth-Type?
i thought this is necessary as i use redundant sections.
in users i have something like:
DEFAULT Huntgroup-Name == vpn, Autz-Type := LdapUser, Auth-Type := LdapUser
some parts of my radiusd.conf:
----- radiusd.conf parts
modules {
...
ldap LdapUser1 {
.... ldapserv1
}
ldap LdapUser2 {
.... ldapserv2
}
...
}
authorize {
...
Autz-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
authenticate {
...
Auth-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
-----
it seems that if the authorization is successfully done by LdapUser1
the Auth-Type is set LdapUser1. if i do not set it to LdapUser in the
file users i get the error message "No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user". if i set
Auth-Type to LdapUser in users it works. it also works without setting
this if i do not use redundant settings (just call the module LdapUser).
> The ldap module can be peculiar in this regard - are you authenticating
> the users by doing simple bind, or are you extracting the passwords from
> ldap and using rlm_pap and such?
i am just authenticating by doing simple bind.
if i should post more details please let me know!
with best regards
markus
----------------------------------------------------------------------
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de
More information about the Freeradius-Users
mailing list