Autz-Type, auth without passwords

Mon, 17 Jan 2005 07:03:34 -0800 

As an extension to my answer to Sagar's question...

We are currently looking up usernames in a single LDAP instance and
accepting the auth if they exist, without checking to make sure the
password matches - see my email from a few minutes ago for that setup.

Now, we want to support realms, and have more than one LDAP instance.
We still don't want to check passwords.

I.e. if we get a request for [EMAIL PROTECTED] we should accept
it if dn=tarrall,ou=ecentral,blah=blah is found in LDAP, and reject
otherwise; if we get a request for [EMAIL PROTECTED] we'll check
for dn=tarrall,ou=example,blah instead.

It appears that Autz-Type is the answer to the first part of this -
checking different LDAP trees depending on the realm.  That part's
working for me.

HOWEVER - we're now accepting everyone, even when the authorize
module returns notfound.  That's not what we want.

>From radiusd.conf:

authorize {
        preprocess
        suffix
        autztype ecentralldap {
                ecentralldap
        }
        autztype exampleldap {
                exampleldap
        }
        files
}
authenticate {
}

>From users:
DEFAULT Realm == "ecentral.com", Autz-Type := ecentralldap, Auth-Type := Accept
        Fall-Through = Yes

DEFAULT Realm == "example.com", Autz-Type := exampleldap, Auth-Type := Accept
        Fall-Through = Yes

And from the log:

  modcall[authorize]: module "ecentralldap" returns notfound
  modcall: group autztype returns notfound
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user

For reference, here's what the log used to look like when a user wasn't
found in LDAP, before I started messing with Autz-Type:

   modcall[authorize]: module "ldap" returns notfound
   modcall: group authorize returns notfound
   auth: No authenticate method (Auth-Type) configuration found for the 
request: Rejecting the user
   auth: Failed to validate the user.

Is there a way to ensure that Auth-Type is set to 'Accept' ONLY if
authorize returns 'ok'?  Or some other way of accomplishing what I'm
after?

Thanks -
                       -Robert Tarrall.-
                       Unix System/Network Admin
                       E.Central/Neighborhood Link

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to