Hello,
I have got this working by setting:
DEFAULT Auth-Type := pam
Fall-Through = 1
In the users file.
I also want to restrict dialin access to certain ldap users, so I
changed the ldap filter:
filter = "(&(uid=%u)(msNPAllowDialin=TRUE))"
In the ldap {} module.
Only problem is if I set msNPAllowDialin=FALSE, they still get a
Access-Accept because the files, pam module return ok (I think).
rad_recv: Access-Request packet from host 127.0.0.1:32826, id=1,
length=55
Thread 2 assigned request 1
--- Walking the entire request list ---
Cleaning up request 0 ID 253 with timestamp 3cf2bc99
Nothing to do. Sleeping until we see a request.
Thread 2 handling request 1, (1 handled so far)
User-Name = "ssaint"
User-Password = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 1
modcall[authorize]: module "files" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ssaint
radius_xlat: '(&(uid=ssaint)(msNPAllowDialin=TRUE))'
radius_xlat:
'ou=People,ou=XXXXXXXXXXXXXXXXXXX,ou=XXXXXXXXXXXXXXXXX,dc=XXXXXXXXXXX,dc
=XXXXXXXXXXX,dc=XXXXXXXXXXX'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
ou=People,ou=XXXXXXXXXxx,ou=XXXXXXX,dc=XXXXXXX,dc=XXXXXXXXX,dc=XXXXXXXXX
, with filter (&(uid=ssaint)(msNPAllowDialin=TRUE))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type pam
auth: type "Pam"
modcall: entering group authenticate
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: authentication succeeded for <ssaint>
modcall[authenticate]: module "pam" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 1 to 127.0.0.1:32826
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
How many need to fail, for the Access-Request to fail?
Regards
Allister
-----Original Message-----
From: Allister Maguire
Sent: Friday, 17 May 2002 9:26 p.m.
To: '[EMAIL PROTECTED]'
Subject: Authorization via LDAP & Authentication via PAM
Hello,
In the radiusd.conf file you have the choice of specifing what Modules
are used to:
authorize {
preprocess
suffix
ldap
}
And
authenticate {
pam
}
Is it posible to authorize via Ldap (Active Directory, including all
radius attributes) and authenticate via Pam (Kerberos v, Windows 2000
KDC)?
Also is it posible to return a set of radius attribute/value-pair's from
a single ldap schema attribute? Eg:
When I created our radius ldap schema, I only wanted to create ldap
attributes for radius attribute/value-pair's used to check eg:
"Called-Station-Id" etc. I created a generic ldap attribute called
radiusGenericReturn, this would hold a value (attribute/value-pair)
like: "Framed-Protocol=Framed, Framed-IP-Address=192.168.0.234,
Framed-IP-Netmask=255.255.255.0 ...", this would allow the addition of
any new radius attribute's with ease.
Is this posible?
Thanks
Allister Maguire
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
