Check local before LDAP Authentication

Matteo Raffa matteo.raf at gmail.com
Fri May 28 16:16:28 CEST 2021


>  It doesn't save a variable for each possible module.  That would be an enormous amount of work, and isn't that useful.

Thanks for pointing that out, I wasn’t sure about that as I couldn’t find any reference on man pages.

>  You can just change the order of the modules in the configuration files.
> 
>  It might be better to explain what you're trying to do, instead of asking "why doesn't the server save each modules return code".
> 
>  i.e. don't ask why a particular solution doesn't work.  Explain the problem, and let us suggest a solution that works.

I’m sorry, I just put that in the subject and didn’t repeat it in the text.
What I want to achieve is quite simple: authenticate with LDAP only in case there’s no corresponding local user available.

In the meanwhile I came up with this.
I guess in case someone needs to check local users *after* ldap, it’d simply move the files module after ldap and before pap (without the additional condition check on files rcode). Am I right?


	files
	if (ok) {
    		pap
	}

	-ldap
	if ((ok || updated) && User-Password) {
    		update control {
        		Auth-Type := ldap
    		}
	}
	pap




> Hi Matteo,
> 
> First of all, its hard to help you without the debug logs, please https://wiki.freeradius.org/guide/radiusd-X <https://wiki.freeradius.org/guide/radiusd-X>
> 
> Other than that, please take a look at https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO <https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO> if you’re looking for AD or just take a look at /etc/raddb/mods-available/ldap. Then, back to us with some debug output.



Hello Jorge,
Thank you, but I already got LDAP authentication working.
I am just trying to understand which is the best way to implement this additional “emergency” local auth.




More information about the Freeradius-Users mailing list