[RESOLVED] Need both Local (MySQL database) and Active directory authentications.

ffgch2 ffgch2 at gmail.com
Fri Apr 12 15:52:27 CEST 2013


Thanks Alan! The following code in the sites-available/inner-tunnel solved
the problem.

  if ("%{sql: SELECT COUNT(*) FROM radcheck WHERE username =
'%{SQL-User-Name}' AND pwdtype = 'local'}" > 0) {
      update control {
            MS-CHAP-Use-NTLM-Auth := 0
      }
  }



ffgch2 wrote:
> > I have set up Freeradius  (v.2.1.10)
>
>   Upgrade to v2.2.0.
>
> > to do password authentication from
> > MySQL database and it works fine but now I need to make some users be
> > able to authenticate against Active directory accounts. I’ve setup
> > winbind to authenticate windows accounts and it works but as a result
> > freeradius lost ability to authenticate by local database.
>
>   You need to figure out when users will be checked against SQL, and
> when they will be checked against AD.  Right now, you've configured
> FreeRADIUS to use both.  Which isn't what you want.
>
> > So if I comment the line:
>
>   Don't randomly change things.  It won't work.
>
> > Is there a way to tell mschap to use ntlm_auth depending on field in
> > MySQL table and use the internal mechanisms if plain text passwords
> > available in the MySQL table?
>
>   No.  There are better ways.
>
>   See raddb/modules/mschap.  You can control when ntlm_auth is called.
>
>   See "man unlang".  You can configure policies.  Read the debug output.
>
>   What you want is this:
>
>         authorize {
>                 ...
>                 sql
>                 if (ok) {
>                         update control {
>                                 "MS-CHAP-Use-NTLM-Auth := No
>                         }
>
>                 }
>                 ...
>         }
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130412/3950344b/attachment.html>


More information about the Freeradius-Users mailing list