On Sat, 27 Apr 2002, Andreas Grote wrote:
> Ok, I have a pretty comlex confgiuration here.
> I am using freeradius 0.5
>
> ------------------------------ The setting
>-----------------------------------------------------------------
>
> 1.
>
> I need to check for username, Password, Accessatrribute
> The username password shall always be the same (Singel sign on).
> The username is stored in LDAP the Password is crypted.
> NT and LM-Passwords are stored in LDAP too.
>
>
> 2.
> The Accessatrribute is suppose to give access only if the request comes from a
>specified NAS-IP-Address!
>
> So if user= Testman password "test" diaslin on our Shiva, and the Access attribute
>DialinAccess=TRUE, he is acceptet.
> But if he uses the VPN-Gateway, the access attribute VPNaccess=TRUE has to be
>checked.
>
> 2.
> If he uses the VPN-Gateway I need to retrieve NT/LM-Passwords, to do a MS-Chap
>authentication for encrytion to work!
>
>
>
> ------------------------------------------------- What i did
>------------------------------------------------
>
> I managed to get three different ldap module configurations working
>
> authenticate {
> authtype LDAP1 {
> ldap1
> }
> authtype LDAP2 {
> ldap2
> }
> authtype LDAP3 {
> ldap3
> }
>
> that are called through the user file with.
>
> DEFAULT AuthType :=LDAP1 Hunt-Group-Name == Dialin
> Fall-Through = No
>
> DEFAULT AuthType :=LDAP2, Hunt-Group-Name == Cas
> Fall-Through = No
>
> DEFAULT AuthType :=LDAP3, Hunt-Group-Name == Vpn
>
> I need this cause I want to check for different accessAttributes for VPN Dialin etc..
>
> Now i need the third LDAP module to do another authentication using the retrived
>NT/LM-PAsswords with MS-chap.
>
> How is this possible??
>
> If I do
>
>
> DEFAULT AuthType :=LDAP1 Hunt-Group-Name == Dialin etc.
> Fall-Through = No
>
> DEFAULT AuthType :=LDAP2, Hunt-Group-Name == Dialin etc.
> Fall-Through = No
>
> DEFAULT Auth-Type :=MS-Chap, Hunt-Group-Name == Vpn
> Fall-Through = No
>
> Than I (of course) won`t retrieve the NT-LM password from LDAP so MS-chap can`t work.
>
> ----------------------------------------------- Questions
>----------------------------------------
>
>
> Btt how can I trigger LDAP1-3 in the authorisation section ?
>
> I can just put all three in there
>
> authorisation
> {
> ldap1
> ldap2
> ldap3
> }
>
> But in this case one of them will always give an ok no matter witch unername ->
>access attribute kombination is used.
>
> I cannot do something like
>
> authorisation
> {
> ldap1, Hunt-Group-Name == Dialin
> ldap2, Hunt-Group-Name == CAS
> ldap3, Hunt-Group-Name == VPN ---- and set Auth-Type=MS-Chap
> }
>
> can I?
Use Autz-Type. Setup your authorize section like this:
authorize{
autztype LDAP1{
ldap1
}
autztype LDAP2{
ldap2
}
autztype LDAP3{
ldap3
}
files <-- users file module
[...] <-- any other authorization modules
}
And in your users file:
DEFAULT Autz-Type := LDAP1, Hunt-Group-Name == Dialin
DEFAULT Autz-Type := LDAP2, Hunt-Group-Name == CAS
DEFAULT Auth-Type := MS-Chap, Autz-Type := LDAP3, Hunt-Group-Name == VPN
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
>
>
> Will i have to use multiple radius daemons running on different Ports?
> That would suck :-(
>
> -------------------------------------even more
>questions--------------------------------------------
>
> I also tried to get rid of the userfile and store the Huntgroup-Name checkitem in
>LDAP too, but that didnt quiet work.
> But it should shouldn`t it.?
>
> Probaly because I just called LDAP for authentication I guess, but again, I can not
>trigger different LDAP modules fopr authorisation depending on the NAS-IP-address can
>I!
>
> ------------------------------------- Bug?
>-----------------------------------------------------------------
>
> 1. When i used more than one instance of rlm_ldap i seemed like the accessattribute
>in the ldap module configuration section wouldnt be recognized for authentication .
>So i have to use a different flter now that searches fpor uid & accessattirbute=TRUE.
>
> 2. The AtuhType = MS-chap in the ldap configuration section of radius.conf doesnt
>semm to have any effect. What is it suppose to do?
> I thought it would just set teh AuthType to MS-Chap, when LDAP is called in the
>authorisation section but ist doesn`t! I still have to use
> DEFAULT Auth-Type := MS-Chap in the userfile!
>
> 3. LDAP - NT-LM password values are not recognized by MS-Chap
> see posting "MS-CHAP nt-lnPasswords on LDAP" for more information!
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
