|
Ok, I have a pretty comlex confgiuration
here.
I am using freeradius 0.5
------------------------------ The setting
-----------------------------------------------------------------
1.
I need to check for username, Password,
Accessatrribute
The username password shall always be the same
(Singel sign on).
The username is stored in LDAP the Password is
crypted.
NT and LM-Passwords are stored in LDAP
too.
2.
The Accessatrribute is suppose to give access only
if the request comes from a specified
NAS-IP-Address!
So if user= Testman password "test" diaslin on our
Shiva, and the Access attribute DialinAccess=TRUE, he is acceptet.
But if he
uses the VPN-Gateway, the access attribute VPNaccess=TRUE has to be
checked.
2.
If he uses the VPN-Gateway I need
to retrieve NT/LM-Passwords, to do a MS-Chap authentication for encrytion
to work!
-------------------------------------------------
What i did ------------------------------------------------
I managed to get three different ldap module
configurations working
authenticate {
authtype LDAP1 { ldap1 }
authtype LDAP2 { ldap2 } authtype LDAP3 { ldap3 } that are called through the user file
with.
DEFAULT AuthType :=LDAP1 Hunt-Group-Name
== Dialin
Fall-Through = No
DEFAULT AuthType
:=LDAP2, Hunt-Group-Name == Cas
Fall-Through = No
DEFAULT AuthType
:=LDAP3, Hunt-Group-Name == Vpn
I need this cause I want to check for
different accessAttributes for VPN Dialin etc..
Now i need the third LDAP module to do another
authentication using the retrived NT/LM-PAsswords with MS-chap.
How is this possible??
If I do
DEFAULT AuthType :=LDAP1 Hunt-Group-Name
== Dialin etc.
Fall-Through = No
DEFAULT AuthType
:=LDAP2, Hunt-Group-Name == Dialin etc.
Fall-Through = No
DEFAULT Auth-Type :=MS-Chap, Hunt-Group-Name ==
Vpn
Fall-Through = No
Than I (of course) won`t retrieve the NT-LM
password from LDAP so MS-chap can`t work.
-----------------------------------------------
Questions ----------------------------------------
Btt how can I trigger LDAP1-3 in the
authorisation section ?
I can just put all three in there
authorisation
{
ldap1
ldap2
ldap3
}
But in this case one of them will always give an ok
no matter witch unername -> access attribute kombination is
used.
I cannot do something like
authorisation
{
ldap1, Hunt-Group-Name == Dialin
ldap2, Hunt-Group-Name == CAS
ldap3, Hunt-Group-Name == VPN ---- and set
Auth-Type=MS-Chap
} can I?
Will i have to use multiple radius daemons running
on different Ports?
That would suck :-(
-------------------------------------even more
questions--------------------------------------------
I also tried to get rid of the userfile and store
the Huntgroup-Name checkitem in LDAP too, but that didnt quiet
work.
But it should shouldn`t it.?
Probaly because I just called LDAP for
authentication I guess, but again, I can not trigger different LDAP
modules fopr authorisation depending on the NAS-IP-address can I!
------------------------------------- Bug?
-----------------------------------------------------------------
1. When i used more than one instance of rlm_ldap i
seemed like the accessattribute in the ldap module configuration section wouldnt
be recognized for authentication . So i have to use a different flter now that
searches fpor uid & accessattirbute=TRUE.
2. The AtuhType = MS-chap in the ldap configuration
section of radius.conf doesnt semm to have any effect. What is it suppose to
do?
I thought it would just set teh AuthType to
MS-Chap, when LDAP is called in the authorisation section but ist doesn`t! I
still have to use
DEFAULT Auth-Type := MS-Chap in the
userfile!
3. LDAP - NT-LM password values are
not recognized by MS-Chap
see posting
"MS-CHAP nt-lnPasswords on LDAP" for more
information!
|
- Re: Multiple LDAP instances mapped to NAS-IP-Address -- a... Andreas Grote
- Re: Multiple LDAP instances mapped to NAS-IP-Address ... Kostas Kalevras
- Re: Multiple LDAP instances mapped to NAS-IP-Address ... Andreas Grote
