Autz-Type examples and parse error
Harry Hoffman
hhoffman at ip-solutions.net
Wed Oct 13 16:17:18 CEST 2010
Hi Phil,
Thanks for the pointers. I was attempting to use ntlm_auth to ensure the
account actually existed for the authorization section. And then again
in the authentication section to ensure the user name and password
match.
Is there a better way to check for authorization against AD?
Cheers,
Harry
On Wed, 2010-10-13 at 14:56 +0100, Phil Mayers wrote:
> On 13/10/10 14:40, Harry Hoffman wrote:
> > Hi Alan,
> >
> > Thanks for the help! This works well and lessens the confusion on my
> > part.
> >
> > I do have one question. When using ldap as the authorization module the
> > Auth-Type gets set properly to siteone_ldap. But if I try using
>
> That's a feature of the "ldap" module; if it is a "named" module it sets
> the Auth-Type to that name (otherwise using "LDAP")
>
> > ntlm_auth then the Auth-Type is not set even though ntlm_auth returns
> > OK.
>
> The (confusingly named) "ntlm_auth" module is actually a copy of the
> "exec" module which checks PAP requests; it does not have that feature.
> You are also using it wrong, by running it in the "authorize" section.
>
> You want something like:
>
> authorize {
> if (Realm == ...) {
> ldap_siteone
> }
> elsif (Realm == ...) {
> update control {
> Auth-Type := PAP-ntdom
> }
> }
> }
>
> authenticate {
> Auth-Type ldap_siteone {
> ldap_siteone
> }
> Auth-Type PAP-ntdom {
> ntlm_auth
> }
> }
>
>
> I guess the other alternative is:
>
> authorize {
> if (Realm == ...) {
> ldap_siteone
> }
> elsif (Realm == ...) {
> ntlm_auth
> if (ok) {
> update control {
> Auth-Type := PAP-ntdom
> }
> }
> }
> }
>
> ...but maybe it's not really what you should be doing; "authenticate"
> should happen after "authorize"
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list