ldap fallback to local password

Aqdas Muneer aqdas.muneer at gmail.com
Thu Aug 12 15:59:35 CEST 2010


So i tried it with an condition and still devices are accessible with the
local account even if ldap is running. so basically i can login to routers
either using my AD account or the local account in the users file. how can i
restrict this behavior to ldap failure only. below is my if statement in the
'default' file and the users 'file' config

        ldap
        if (fail) {
               files
       }

DEFAULT         Huntgroup-Name == "network-admin", Ldap-Group ==
"networkadmins"
                Service-Type := NAS-Prompt-User,
                cisco-avpair := "shell:priv-lvl=15",
 #               Auth-Type := LDAP

#admin           Huntgroup-Name == "network-admin", Cleartext-Password :=
"xxxxxxxx"
admin           Cleartext-Password := "xxxxxxxx"
               Service-Type := NAS-Prompt-User,
               cisco-avpair := "shell:priv-lvl=15"

DEFAULT         Auth-Type := Reject
                Reply-Message := "Access Denied. Your attemp has been
logged."

On Thu, Aug 12, 2010 at 4:34 AM, Alan DeKok <aland at deployingradius.com>wrote:

> Aqdas Muneer wrote:
> > i would like to configure freeradius so that it can failover to a local
> > password when the ldap server cannot be contacted. i was able to create
> > a admin account in the users file with cleartext password, but when i
> > enable it, it becomes accessible even when ldap is up and running. we
> > are running version 2.1.7 of freeradius.
>
>   Read "man unlang".  Configure a section to do something if the ldap
> module returns "fail".
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100812/543f8f74/attachment.html>


More information about the Freeradius-Users mailing list