As an extension to my answer to Sagar's question...
We are currently looking up usernames in a single LDAP instance and
accepting the auth if they exist, without checking to make sure the
password matches - see my email from a few minutes ago for that setup.
Now, we want to support realms, and have more than one LDAP instance.
We still don't want to check passwords.
I.e. if we get a request for [EMAIL PROTECTED] we should accept
it if dn=tarrall,ou=ecentral,blah=blah is found in LDAP, and reject
otherwise; if we get a request for [EMAIL PROTECTED] we'll check
for dn=tarrall,ou=example,blah instead.
It appears that Autz-Type is the answer to the first part of this -
checking different LDAP trees depending on the realm. That part's
working for me.
HOWEVER - we're now accepting everyone, even when the authorize
module returns notfound. That's not what we want.
>From radiusd.conf:
authorize {
preprocess
suffix
autztype ecentralldap {
ecentralldap
}
autztype exampleldap {
exampleldap
}
files
}
authenticate {
}
>From users:
DEFAULT Realm == "ecentral.com", Autz-Type := ecentralldap, Auth-Type := Accept
Fall-Through = Yes
DEFAULT Realm == "example.com", Autz-Type := exampleldap, Auth-Type := Accept
Fall-Through = Yes
And from the log:
modcall[authorize]: module "ecentralldap" returns notfound
modcall: group autztype returns notfound
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
For reference, here's what the log used to look like when a user wasn't
found in LDAP, before I started messing with Autz-Type:
modcall[authorize]: module "ldap" returns notfound
modcall: group authorize returns notfound
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Is there a way to ensure that Auth-Type is set to 'Accept' ONLY if
authorize returns 'ok'? Or some other way of accomplishing what I'm
after?
Thanks -
-Robert Tarrall.-
Unix System/Network Admin
E.Central/Neighborhood Link
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html