Dynamically set password_attribute

James Devine fxmulder at gmail.com
Thu Apr 16 16:51:19 CEST 2009


Being able to verify the mac against the ldap database is the best scenario,
the mysql database we are using for accounting only.  I added:

DEFAULT User-Name =~ "([0-9a-fA-F]{2}:){5}[0-9a-fA-F]"
        Auth-Type := Accept

to the users file, but I am still see it setting auth type to ldap after
authorization:

Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: waiting for bind result ...
Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: Bind was successful
Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: performing search in dc=gwis,
with filter (&(macaddress=00:1f:3a:21:62:f8)(aaaenable=1))
Thu Apr 16 13:59:32 2009 : Info: [ldap] looking for check items in
directory...
Thu Apr 16 13:59:32 2009 : Debug: rlm_ldap: aaasimultaneoususe ->
Simultaneous-Use == 1
Thu Apr 16 13:59:32 2009 : Info: [ldap] looking for reply items in
directory...
Thu Apr 16 13:59:32 2009 : Debug: WARNING: No "known good" password was
found in LDAP.  Are you sure that the user is configured correctly?
Thu Apr 16 13:59:32 2009 : Info: [ldap] Setting Auth-Type = LDAP


On Wed, Apr 15, 2009 at 5:06 PM, Kenneth Grady <klg at lanl.gov> wrote:

> If you don't want LDAP to authenticate your mac addresses you need to
> set the Auth-Type before it gets set to ldap.
> You can do that a number of ways (I use #3)
>
> 1) try macs in the users file
> 00:1f:3a:21:62:f8   ClearText-Password := "00:1f:3a:21:62:f8"
> or
> DEFAULT   User-Name =~
>
> "^00:1f:3a:[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]:[a-fA-F0-9][a-fA-F0-9]$",
> Auth-Type := Accept
>
> 2) or add mac addresses in your mysql database
> INSERT INTO radcheck VALUES
> (null,"${MAC-Address}","ClearText-Password",":=","${MAC-Address}");
> or
> INSERT INTO radcheck VALUES
> (null,"${MAC-Address}","Auth-Type",":=","Accept");
>
> 3) a combination of put the DEFAULT and all MAC-Addresses in the mysql
> database and don't have ldap set the Auth-Type
> INSERT INTO radgroupcheck values (null,"DEFAULT","Auth-Type",":=","LDAP");
> INSERT INTO radusergroup VALUES ("DEFAULT","DEFAULT",1);
> INSERT INTO radgroupcheck values (null,"MAC","Auth-Type",":=","Accept");
> #for each MAC you want to accept replace the 00: with your mac addresses
> INSERT INTO radusergroup VALUES ("00:00:00:00:00:00","MAC",1);
> DELETE FROM radusergroup where username ="00:00:00:00:00:00";
> and in modules/ldap
> ldap {
>    ...
>   set_auth_type = no
> }
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090416/fa402665/attachment.html>


More information about the Freeradius-Users mailing list