chain two authentication modules together
Alexander Clouter
alex at digriz.org.uk
Tue Jun 21 00:34:05 CEST 2011
madmatrix <hailumeng at gmail.com> wrote:
>
> Alexander, one thing I'm still confused here is why we put otp and
> ldap all in authorization block in freeradius not the authentication?
>
As I'm an idiot. They should also be present in the authenticate
section.
In authorise, your OTP python method checks to see if it is a valid
authentication syntax (creating a challenge if necessary) returning
reject if it it invalid. It validates and rewrites User-Password to
contain just the bare password, whilst you can create a custom
dictionary attribute (for example User-OTP) that is sperately processed
in authenticate.
So, for example:
----
authorize {
...
# User-Password is 'foo bar'
python-otp
# User-Password is 'foo'
# User-OTP is 'bar'
ldap
...
}
authenticate {
...
Auth-Type python-otp {
otp
ldap
}
...
}
----
Cheers
--
Alexander Clouter
.sigmonster says: Price does not include taxes.
More information about the Freeradius-Users
mailing list