Re: Autz-Type not working as expected

Fri, 20 Aug 2004 14:11:51 -0700

Thanks Alan DeKok for pointing out the obvious.... that the Autz-Type directive is meaningless until the authorize section has had a hit at 'files'. You got me over that hurdle.

However, I am now experiencing a problem that I saw Kostas Kalevras and Ron Wahler discussing back in April. I couldn't find their resolution in the archive.

As I mentioned earlier, my ultimate goal is use rlm_ldap to authenticate the user without the initial search for the user. You say...

> Then don't list "ldap" in the "authorize" section.

Well, now I have...

DEFAULT Ldap-UserDN := `cn=%{User-Name},dc=richmond,dc=edu`, Auth-Type = ldap

authorize {
        files
}
authenticate {
        Auth-Type ldap {
                ldap1
        }
}

...and the whole thing works, except it's still doing the initial bind-and-search...

rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=richmond,dc=edu/xxxxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=richmond,dc=edu, with filter (cn=ccarter)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: cn=ccarter,dc=richmond,dc=edu
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as cn=ccarter,dc=richmond,dc=edu/yyyyyyyy to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user ccarter authenticated succesfully

This happens contrary to the last bit of advice in doc//freeradius-1.0.0/rlm_ldap.

Any suggestions?
Thanks,
Coates




On Aug 20, 2004, at 2:55 PM, Alan DeKok wrote:

Coates Carter <[EMAIL PROTECTED]> wrote: 
The Autz-Type directive doesn't seem to behave the way I would expect,
based upon what I read in doc/freeradius-1.0.0/Autz-Type .


  Autz-Type is applied after the "authorize" section has been processed.

In raddb/users...

DEFAULT Ldap-UserDN := `uid=%{User-Name},,dc=richmond,dc=edu`,
Auth-Type = ldap, Autz-Type = ldap

If raddb/radiusd.conf has...
... 
authorize {
        Autz-Type ldap {
                ldap1
        }
        #ldap1
}


  You haven't listed "files", so the "users" file will never be used,
and the Autz-Type will never be set.

However if I change raddb/radiusd.conf so that...

authorize {
        #Autz-Type ldap {
        #       ldap1
        #}
        ldap1
}

... Then radiusd flows successfully through authorize and authenticate. 

  Because the "ldap" module sets "Auth-Type := LDAP", if it wasn't
already set.

Ultimately, I want to prevent rlm_ldap from to doing the initial ldap
search for the user, as described in
doc/freeradius-1.0.0/rlm_ldap and just move on through to the
authentication part--- where rlm_ldap binds as the user.


  Then don't list "ldap" in the "authorize" section.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to