ldap fallback to local password
Aqdas Muneer
aqdas.muneer at gmail.com
Thu Aug 12 15:59:35 CEST 2010
So i tried it with an condition and still devices are accessible with the
local account even if ldap is running. so basically i can login to routers
either using my AD account or the local account in the users file. how can i
restrict this behavior to ldap failure only. below is my if statement in the
'default' file and the users 'file' config
ldap
if (fail) {
files
}
DEFAULT Huntgroup-Name == "network-admin", Ldap-Group ==
"networkadmins"
Service-Type := NAS-Prompt-User,
cisco-avpair := "shell:priv-lvl=15",
# Auth-Type := LDAP
#admin Huntgroup-Name == "network-admin", Cleartext-Password :=
"xxxxxxxx"
admin Cleartext-Password := "xxxxxxxx"
Service-Type := NAS-Prompt-User,
cisco-avpair := "shell:priv-lvl=15"
DEFAULT Auth-Type := Reject
Reply-Message := "Access Denied. Your attemp has been
logged."
On Thu, Aug 12, 2010 at 4:34 AM, Alan DeKok <aland at deployingradius.com>wrote:
> Aqdas Muneer wrote:
> > i would like to configure freeradius so that it can failover to a local
> > password when the ldap server cannot be contacted. i was able to create
> > a admin account in the users file with cleartext password, but when i
> > enable it, it becomes accessible even when ldap is up and running. we
> > are running version 2.1.7 of freeradius.
>
> Read "man unlang". Configure a section to do something if the ldap
> module returns "fail".
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100812/543f8f74/attachment.html>
More information about the Freeradius-Users
mailing list