Do not query LDAP if authenticated via proxy
Alan DeKok
aland at deployingradius.com
Mon Aug 10 15:34:38 CEST 2009
Steven Carr wrote:
> We are joining Eduroam and we have our FreeRADIUS set to proxy on the
> DEFAULT realm and have a separate realm for our local domain.
>
> If we pass a request to the proxy to be authenticated both before and
> after the request has been proxied it queries our LDAP server to check
> if the user exists.
So... use "unlang" to check for your local domain, and run the "ldap"
module only if it matches the local domain
if (User-Name =~ /@my_domain.com/) {
ldap
}
> How can I stop it from doing this? it is a waste of time and an
> unnecessary connection/query to our LDAP server as it is never going to
> be authenticated by our LDAP server.
You don't "stop" it.
You tell it to query the LDAP server *ONLY* when it sees
Access-Requests where User-Name contains your domain.
Once you formulate the problem that way, the solution becomes obvious.
Alan DeKok.
More information about the Freeradius-Users
mailing list