Unknown Auth-Type "LDAP" in authenticate sub-section
Phil Mayers
p.mayers at imperial.ac.uk
Fri Mar 9 21:23:55 CET 2012
On Fri, Mar 09, 2012 at 10:59:46AM -0500, up at 3.am wrote:
>
>authorize {
>
> preprocess
> redundant LDAP{
> ldap1
> ldap2
> }
>
>
> # The ldap module will set Auth-Type to LDAP if it has not
> # already been set
># ldap
>
>authenticate {
>
> #Auth-Type LDAP {
> redundant LDAP{
> ldap1
> ldap2
>
> }
I think that's (very) wrong.
I would need to check this, but I *think* you want something like this:
authorize {
...
redundant {
ldap1
ldap2
}
...
}
authenticate {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldap2 {
ldap2
}
}
..and:
ldap ldap1 {
...
set_auth_type = yes
}
ldap ldap2 {
...
set_auth_type = yes
}
Did you read a doc telling you to do it the way you did?
Using "ldap" in the authenticate section is a bit tricky, and you'd be
wise to avoid it if you can - if the LDAP server will "give" you the
password (plaintext or crypted) you're better of doing that in
"authorize" and letting FreeRADIUS perform the auth using rlm_pap or
whatever.
Very briefly, here's how it works:
IF
"set_auth_type = yes" on the module
AND
there is an "Auth-Type modname" in the "authenticate" section
AND
Auth-Type is not already set
AND
the request is PAP i.e. has User-Password
AND
the ldap module did NOT put a password hash into the control items
THEN
the ldap module will set Auth-Type==modname and authentication will
come "back to itself" in authenticate {}
The reasons it works that way are complex, and in an ideal world the
ldap module would be a lot simpler, but it's got a lot of backwards
compatibility code in it, and LDAP and RADIUS have a pretty bad
impedance mistmatch when used this way (LDAP as an oracle).
More information about the Freeradius-Users
mailing list