MAC authorisation (but not authentication) via LDAP
Markus Krause
krause at biochem.mpg.de
Sun Feb 25 15:58:19 CET 2007
Zitat von Phil Mayers <p.mayers at imperial.ac.uk>:
> Markus Krause wrote:
>> modules {
>> ...
>> ldap LdapUser1 {
>> .... ldapserv1
>> }
>>
>> ldap LdapUser2 {
>> .... ldapserv2
>> }
>> ...
>> }
>>
>> authorize {
>> ...
>> Autz-Type LdapUser {
>> redundant {
>> LdapUser1
>> LdapUser2
>> }
>> }
>> ...
>> }
>>
>> authenticate {
>> ...
>> Auth-Type LdapUser {
>> redundant {
>> LdapUser1
>> LdapUser2
>> }
>> }
>> ...
>> }
>
> You should be able to replace this last bit with:
>
> authenticate {
> Auth-Type LdapUser1 {
> LdapUser1
> }
> Auth-Type LdapUser2 {
> LdapUser2
> }
> }
>
> ...and set the "set_auth_type = yes" on each LDAP module.
>
> The general idea is that MODULES should set Auth-Type (to themselves)
> indicating that they will handle the authenticate phase.
>
> Note that the above is still redundant - if the ldap module answered
> during the authorize phase, there's clearly only a miniscule chance it
> will have failed by the time authenticate runs.
>
> And in fact, if ldap1 succeeds during authorize but fails during
> authenticate, arguably passing it to ldap2 is an error - example, the
> user might have just changed their password so ldap1 fails, but ldap2 is
> still replicating so thinks the old password is valid.
ok, i agree with you, "enough" redundancy can be achieved by this
also. (the ldap servers used here are both consumers of the same
provider, all with very low load so it seems quite unlikely that they
run out of sync, but one never know...)
but what if the Auth-Type is not set, for example in a perl module
(btw. how can i set the auth-type? that would solve my problem here!).
example:
we (will) have a wlan which can be used by all our users known in ldap
and we have additional accounts saved in sql, which can be given to
guests by our departments and research groups, these accounts are then
valid for a fixed (preset) number of days since their first usage. to
check this i wrote a small perl script which works. so for
authorization i use in radiusd.conf:
----- part of radiusd.conf
authorization {
Autz-Type WLAN {
group {
mpi-sta {
ok = return
}
redundant {
LdapUser1
LdapUser2
}
}
}
}
authentication {
Auth-Type WLAN {
mpi-sta {
notfound = 1
}
redundant {
LdapUser1
LdapUser2
}
}
}
----
the Auth-Type is set in users according to the huntgroup of the wlan-switch as
the perl skript does not set auth-type (because i did not find any
documentation on how to set it) so i had to force auth-type to WLAN,
now it works.
----------------------------------------------------------------------
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux at biochem.mpg.de
More information about the Freeradius-Users
mailing list