Hints file and Strip-User-Name

Ivan Kalik tnt at kalik.net
Tue Jun 3 20:46:43 CEST 2008


authenticate{}??? What are they doing there. Files are a part of
authorize{} section.

Ivan Kalik
Kalik Informatika ISP


Dana 3/6/2008, "Paul Khavkine" <paul.khavkine at distributel.ca> piše:

>
>
>files is there in authentication { } section.
>
>authenticate {
>        #
>        #  PAP authentication, when a back-end database listed
>        #  in the 'authorize' section supplies a password.  The
>        #  password can be clear-text, or encrypted.
>        Auth-Type PAP {
>                pap
>        }
>
>        #
>        #  Most people want CHAP authentication
>        #  A back-end database listed in the 'authorize' section
>        #  MUST supply a CLEAR TEXT password.  Encrypted passwords
>        #  won't work.
>        Auth-Type CHAP {
>                chap
>        }
>
>        #
>        #  MSCHAP authentication.
>        Auth-Type MS-CHAP {
>                mschap
>        }
>
>        #
>        #  If you have a Cisco SIP server authenticating against
>        #  FreeRADIUS, uncomment the following line, and the 'digest'
>        #  line in the 'authorize' section.
>#       digest
>
>        #
>        #  Pluggable Authentication Modules.
>#       pam
>
>        #
>        #  See 'man getpwent' for information on how the 'unix'
>        #  module checks the users password.  Note that packets
>        #  containing CHAP-Password attributes CANNOT be authenticated
>        #  against /etc/passwd!  See the FAQ for details.
>        #
>#       unix
>
>        # Uncomment it if you want to use ldap for authentication
>        #
>        # Note that this means "check plain-text password against
>        # the ldap database", which means that EAP won't work,
>        # as it does not supply a plain-text password.
>#       Auth-Type LDAP {
>#               ldap
>#       }
>
>        #
>        #  Allow EAP authentication.
>        eap
>        files
> }
>
>
>Paul
>
>
>
>-----Original Message-----
>From:
>freeradius-users-bounces+paul.khavkine=distributel.ca at lists.freeradius.o
>rg
>[mailto:freeradius-users-bounces+paul.khavkine=distributel.ca at lists.free
>radius.org] On Behalf Of Ivan Kalik
>Sent: June 3, 2008 2:07 PM
>To: FreeRadius users mailing list
>Subject: Re: Hints file and Strip-User-Name
>
>>
>>When run radiusd -W I can see it enter the preprocess module and match
>>an entry, but the suffix is not being stripped and entry in users file
>>not being matched:
>>
>
>Not being stripped? You think that's the problem.
>
>>
>>
>>Tue Jun  3 12:54:15 2008 : Debug: +- entering group authorize
>>
>>Tue Jun  3 12:54:15 2008 : Debug:   modsingle[authorize]: calling
>suffix
>>(rlm_realm) for request 0
>...
>>Tue Jun  3 12:54:15 2008 : Debug:   modsingle[authorize]: calling
>>preprocess (rlm_preprocess) for request 0
>>
>...
>>Tue Jun  3 12:54:15 2008 : Debug: auth: No authenticate method
>>(Auth-Type) configuration found for the request: Rejecting the user
>>
>
>You haven't hacked away at the default configuration by any chance?
>Users file entry is not matched because you prevented the server from
>looking there. Even if you put "files" back in it still won't work as
>you have broken every single authentication method. Well done! Now put
>the configuration back the way it was and watch it work.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list