Force Auth-Type

[Markus Moeller]

"Alan DeKok" <aland at deployingradius.com> wrote in message 
news:47982BF4.7090801 at deployingradius.com...
> Markus Moeller wrote:
>> I am new to freeradius and try to authenticate users with pam and 
>> authorize
>> with ldap groups.  I  try to find a minimal configuration but have some
>> problems forcing the Auth-Type to be PAM.
>
>  You are aware that this will make EAP and many other authentication
> methods impossible?

That is not my requirement right now

> ...
>> authorize {
>>        auth_log
>>        ldap
>> }
>
>  You can add the following just after ldap:
>
> update control {
> Auth-Type := PAM
> }
>
>
>> Only if I set  set_auth_type = yes in radiusd.conf for ldap and change
>> authorize in default to:
>>  Auth-Type LDAP {
>>       pam
>> }
>

That was the only way I could get it to work. If I use update control 
anybody can login, whereas in my setup only a user who exits in ldap get 
AUth-Type set to LDAP all other users have an empty value and therefore can 
not authenticate.

>  Please don't do that.
>
>> Is there also a way to disable the use of the ldap.attribute mapping as I
>> really don't need it ?
>
>  You'll have to edit the source code.
>

I have changed my setup to use files and a users file together with a 
"private" radius attribute mapped to an ldap entry. e.g.
dictionary has:
Attribute user-location 3000 string

ldap.attrmap:
checkitem user-location office-address

in users I have
DEFAULT user-location == "LDN", Auth-Type := Reject
        Reply-message = "You are not allowed to login"
DEFAULT AUTH-Type := PAM

in site-enabled/default I have
Authorize {
ldap
files
}
authenticate {
pam
}

Unfortunatly that does not work as I never hit the first default statement 
in users despite having a user-location of LDN. What do I do wrong here ? 
How can I use an ldap query result to deny/allow access ?

>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
Thank you
Markus