[RESOLVED] Need both Local (MySQL database) and Active directory authentications.
ffgch2
ffgch2 at gmail.com
Fri Apr 12 15:52:27 CEST 2013
Thanks Alan! The following code in the sites-available/inner-tunnel solved
the problem.
if ("%{sql: SELECT COUNT(*) FROM radcheck WHERE username =
'%{SQL-User-Name}' AND pwdtype = 'local'}" > 0) {
update control {
MS-CHAP-Use-NTLM-Auth := 0
}
}
ffgch2 wrote:
> > I have set up Freeradius (v.2.1.10)
>
> Upgrade to v2.2.0.
>
> > to do password authentication from
> > MySQL database and it works fine but now I need to make some users be
> > able to authenticate against Active directory accounts. I’ve setup
> > winbind to authenticate windows accounts and it works but as a result
> > freeradius lost ability to authenticate by local database.
>
> You need to figure out when users will be checked against SQL, and
> when they will be checked against AD. Right now, you've configured
> FreeRADIUS to use both. Which isn't what you want.
>
> > So if I comment the line:
>
> Don't randomly change things. It won't work.
>
> > Is there a way to tell mschap to use ntlm_auth depending on field in
> > MySQL table and use the internal mechanisms if plain text passwords
> > available in the MySQL table?
>
> No. There are better ways.
>
> See raddb/modules/mschap. You can control when ntlm_auth is called.
>
> See "man unlang". You can configure policies. Read the debug output.
>
> What you want is this:
>
> authorize {
> ...
> sql
> if (ok) {
> update control {
> "MS-CHAP-Use-NTLM-Auth := No
> }
>
> }
> ...
> }
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130412/3950344b/attachment.html>
More information about the Freeradius-Users
mailing list