At 10:04 PM 2/4/2003 +0100, Jacques Caruso wrote:
Le Lundi 3 F�vrier 2003 14:22, Alan DeKok a �crit :
> The solution would be to put all of *your* users into a Unix group.
> You can then do:
>
> DEFAULT Group == "myusers", Auth-Type := System
> # NO fall-through!
>
> DEFAULT Proxy-To-Realm = "otherguy"
Huh... a Unix group ? Since I'm working on a SQL backend, that isn't
possible, but all our local users are already in a group in the SQL DB.
I've thus added the Auth-Type attribute to the groups' attributes list
in the radgroupreply table. Here is the complete table :
mysql> SELECT * FROM radgroupreply WHERE GroupName='internix';
| 42 | internix | No-Such-Attribute | | := | 0 |
That looks a bit suspect to me.
| 48 | internix | Auth-Type | System | := | 0 |You don't want this in a reply. It is is 'Check-Item', put it in radgroupcheck.
Without success (the server continues to proxy the request for local users, and thus rejects our local users).
This is a bug, and is fixed in the latest CVS. When looking up the the realm NULL, the server returned the DEFAULT realm entry if you had one configured. It now properly returns nothing when looking up NULL if you don't have a specific NULL realm entry.
modcall[authorize]: module "sql" returns ok
rlm_realm: No '@' in User-Name = "**********", looking up realm NULL
rlm_realm: Found realm DEFAULT
rlm_realm: Setting Stripped-User-Name = "**********"
rlm_realm: Proxying request from user ********** to realm DEFAULT
rlm_realm: Adding Realm = "DEFAULT"
rlm_realm: Preparing to proxy authentication request to realm DEFAULT
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
