problem matching realms - for local auth not proxy
Seamus Bridgeman
seamusb114 at gmail.com
Fri Apr 3 15:55:02 CEST 2009
Fair enough Alan. Reprimand warranted and accepted. We removed proxy
settings but naturally need this to
match realms in proxy.conf which solved our problem
Take your point on controlled iterative changes to default settings in
radiusd.conf and not butchering!
Just getting familiar with changes post 2.0.0 (virtual servers with
authorise{} etc ).
We have a need to use dbm file given our volumes and migration from current
dbm based Radius.
thanks again for help/advice.
2009/4/1 Alan DeKok <aland at deployingradius.com>
> Seamus Bridgeman wrote:
> > Using freeradius2.1.3 for seperate Auth and Acct servers in DSL/PPPoE
> > n/w. Using CHAP auth only and lookup via dbm file with users.txt
> fallback.
> > Can successfully authenticate/authorise against specific user profiles
> > in users dbm/txt but problems when trying to match realms.
>
> Why are you using the DBM files?
>
> > We are not proxying to remote servers but do local auth on matching
> > realms. Am I missing some step/module which imports the proxy.conf
> > file - or the order of modules in authorise{} This issue occurs
> > regardless dbm or files based lookup and in realms module.
>
> No. The default configuration loads the proxy.conf file.
>
> > If I remove proxy.conf radius does not complain.
>
> Because it's not required in all configurations.
>
> > Added to dbm file:
> > /usr/local/freeradius/bin/rlm_dbm_cat -f
>
> Don't use rlm_dbm. Just use the normal "users" file. It works, and
> it's fast.
>
> > [3] radiusd.conf includes reference to realm module and includes in
> > authorise {} section. Also not including policy.conf which denies realms
> > by default.
>
> No, it doesn't. As the comments in that file should make clear, those
> are SAMPLE policies. They aren't used until you tell the server to use
> them.
>
> > authorize {
> ...
> > }
>
> Great. You've completely butchered the "authorize" section, and
> removed all references to the "realms" module.
>
> Can you explain WHY you did this? What documentation led you to
> conclude that deleting the majority of that section was a good idea?
>
> The recommendation here is simple:
>
> DO NOT BUTCHER THE DEFAULT INSTALL
>
> The default installation WORKS. If you had simple added a realm, and
> added entries in the "users" file... it would have WORKED.
>
> Instead, you spent a great deal of effort editing the configuration,
> breaking it, and then trying to debug it. Almost all of that work was
> wasted.
>
> The default installation works. Don't butcher it. Read "man
> radiusd" for instructions on how to edit the configuration without
> breaking it.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090403/f8f7f8ac/attachment.html>
More information about the Freeradius-Users
mailing list