Users-file and LDAP backend mixing questions

Куприянов Максим max2k1 at yandex.ru
Mon Jan 19 10:51:22 CET 2009


19.01.09, 12:30, "Alan DeKok" <aland at deployingradius.com>:

> Куприянов Максим wrote:
> > I'm using FreeRadius 2.1.3 with LDAP (eDirectory) and plain-text (users file) backends and I don't know how to solve a couple of problems :(
>   How do you tell the users apart?
> > 1. Is possible to mix users with same names, but different passwords from LDAP and from users file? There are some old time users in my org, who don't belong to eDirectory tree and there are users in eDirectory with same names that should not be treated like old-time ones.
>   Maybe.
I'm sure they have different passwords (password policy is different), but I don't understand how to configure the logic "First try to authenticate to eDirectory with User-Password, if it fails - try plain-text comparison with Clear-Password attribute, which was set in users file".

> > 2. I need some special DEFAULT with Fall-Through=yes rules that should match only users, authenticated by LDAP backend. I've tried Ldap-UserDn in check section of users file, but it seems to me, that Ldap-UserDn attribute is empty everytime :(
>   Don't use the "users" file for this.  See "man unlang".
Thanks for hint, I'll take a look.

> > 3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :(
>   I'm not sure how you would do that.  Maybe do an LDAP query for group
> membership, and check if the returned string is empty.
It will not work :-(. He're is a quote from rlm_ldap.c:ldap_groupcmp():
if (check->vp_strvalue == NULL || check->length == 0){
 DEBUG("rlm_ldap::ldap_groupcmp: Illegal group name");
 return 1;
}

>   Alan DeKok.

---
Sincerely yours,
Maxim



More information about the Freeradius-Users mailing list