freeradius 2.2.0 stop authorization

Wedel Blake BWedel at cr.k12.ia.us
Wed Jan 23 20:49:02 CET 2013


Thanks Alan for the info.  By using the if statement I was able to stop the processing of the request.  However I need to do more research and communicating with our AD or our NPS server.  However since that doesn't involve the subject of this message I would start another question without 'stop authorization' in the subject line.

Thanks again.

-----Original Message-----
From: freeradius-users-bounces+bwedel=cr.k12.ia.us at lists.freeradius.org [mailto:freeradius-users-bounces+bwedel=cr.k12.ia.us at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Tuesday, January 22, 2013 1:22 PM
To: FreeRadius users mailing list
Subject: Re: freeradius 2.2.0 stop authorization

Wedel Blake wrote:
> ... What I want to do is setup ldap to authenticate against our Windows 2010 server where the computers are a part of the domain.

  AD isn't really an LDAP server.  You'll probably need to run Samba.  See:

http://deployingradius.com/documents/configuration/active_directory.html

>    I would like for it to query mysql first and then query ldap if it didn't find the computer in mysql.

authorize {
	...
	sql
	if (notfound) {
		ldap
	}
	...
}

  Should work for PAP requests.  (User-Name / User-Password)

> If I remove ldap for the defaults file I get an Access-Accept reply as expected.  It just that if there is anything after sql in the defaults file then it will continue on to try and authenticate against another module.

  Use the configuration I posted above.  It should help.

> Below you can see a simple query with 'blake' being sent as both the user-name and password.  It queries the db and finds it (as expected).  However it continues to go to ldap and tries to find it to which I get an error. 

  Read raddb/modules/ldap.  Look for "operations error"

> I understand that I don't have ldap working properly right now.  However, first I just want to get the logic setup to where after finding a name in mysql it will stop and reply back with an Access-Accept and not query ldap.  Is there a setting you have to put in a conf file?

  It's a policy you write.  There is no "setting" to do if/then/else programming.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list