authenticating multiple modules?
Alan DeKok
aland at deployingradius.com
Mon Mar 12 10:03:23 CET 2007
Tim Tyler wrote:
> Freeradius experts,
> I want to use one freeradius server to authenticate against a
> system file for students and against ldap for faculty/staff. I can
> get the system file to work alone. I can get the ldap module to work
> alone. But I can't seem to find a way to get both of them to work
> together. If I set DEFAULT Auth-Type = System in the users file, it
> authenticates the system files. If I set it to ldap, it
> authenticates to ldap.
Which is why we recommend not using Auth-Type. Almost everyone uses
it wrong.
> If I put both in the users file, it
> authenticates ldap users only.
See "man rlm_users" for why. It's doing what you tell it to do, not
what you expect it to do.
> How do I allow both unix and ldap
> modules to authenticate their respective users? Note: users are
> unique to each module. A user in unix does not exist in ldap and vice versa.
Don't authenticate people via LDAP. LDAP isn't an authentication
server. It's a database.
Instead, pull the password from LDAP, and let the server decide how
the user should be authenticated.
You could also set Auth-Type *conditionally*, if the user was in one
group or another.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list