MAC authorisation (but not authentication) via LDAP
Phil Mayers
p.mayers at imperial.ac.uk
Sun Feb 25 15:13:40 CET 2007
Markus Krause wrote:
> modules {
> ...
> ldap LdapUser1 {
> .... ldapserv1
> }
>
> ldap LdapUser2 {
> .... ldapserv2
> }
> ...
> }
>
> authorize {
> ...
> Autz-Type LdapUser {
> redundant {
> LdapUser1
> LdapUser2
> }
> }
> ...
> }
>
> authenticate {
> ...
> Auth-Type LdapUser {
> redundant {
> LdapUser1
> LdapUser2
> }
> }
> ...
> }
You should be able to replace this last bit with:
authenticate {
Auth-Type LdapUser1 {
LdapUser1
}
Auth-Type LdapUser2 {
LdapUser2
}
}
...and set the "set_auth_type = yes" on each LDAP module.
The general idea is that MODULES should set Auth-Type (to themselves)
indicating that they will handle the authenticate phase.
Note that the above is still redundant - if the ldap module answered
during the authorize phase, there's clearly only a miniscule chance it
will have failed by the time authenticate runs.
And in fact, if ldap1 succeeds during authorize but fails during
authenticate, arguably passing it to ldap2 is an error - example, the
user might have just changed their password so ldap1 fails, but ldap2 is
still replicating so thinks the old password is valid.
More information about the Freeradius-Users
mailing list