Further to my previous email I have gained a better understanding for the
situation, as I said in my first post - I have been roped in, so this is my
introduction to Radius, specifically freeradius - nothing like being thrown in
the deep end to learn a new service. :)
What I have realised is that there are 2 ways that authorisation appear to be
called for LDAP. One way is to name the LDAP modules in the authorise section.
The other way appears to be through the LDAP-Group in the users file and
letting the "files" module then call the LDAP module.
If I have anything incorrect in the above statement please let me know.
Now. With that in mind I can simplify by problem...I think.
The working configuration as it stands is configured to use Auth-Type LDAP as
defined in the usersfile with appropriate LDAP-Groups e.g.:
DEFAULT Auth-Type = LDAP, LDAP-Group == "SomeGroup"
Fall-Through = Yes
There is no mention of the ldap server (novell) in the authorise section of the
radiusd.conf file.
This leads me to believe (and looking at -X -f output) that when an access
request is made, the radius server does through the authorise section first,
hits the files module, the files module then sees the LDAP-Group and calls the
LDAP module and checks for the group.
If I don’t have that correct, please feel free to correct me.
Assuming I do have that correct, the behaviour I am seeing is that the eventual
call to the LDAP module for checking the group does not seem to allow being
configured to fall through to another ldap server if the first ldap server does
not yield a successful result.
Thoughts?
Stewart :)
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stewart James
Sent: Wednesday, 15 August 2007 1:49 PM
To: FreeRadius users mailing list
Subject: RE: Multiple (different) LDAP servers and authorisation
Hi Alan,
Thanks for offering some help, no need to point out that in reality AD != True
LDAP. Well and truly aware of it.
Lets step through what we need.
At the moment we have a large number of people that get their
authentication/authorisation through the Radius server (VPN Service). There
will be a period (over the next few months) where some people will have an
account in AD and Novell, some will have just an account in Novell and some
will have an account in AD.
What we want to be able to do is allow users to continue using their systems
without changing anything in their configuration and for the Radius server to
see if they are a authorised user with valid credentials on the AD LDAP
interface and if they are not in that, check the Novell LDAP Interface.
I can:
* Have the system perform authentication on the user to the AD system and if
the user is notfound, it will then check for the user on the Novell system -
providing I do not specify and LDAP-Group requirement in the Users file e.g.
Just authentication not authorisation.
* Have the system perform authentication and authorisation on a given user
providing I only configure one of the Directory Services (e.g. only list the AD
server for both authentication and authorisation)
SO it is only in the authorisation area I am having problems.
Does that make more sense?
Cheers,
Stewart
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, 15 August 2007 12:16 PM
To: FreeRadius users mailing list
Subject: Re: Multiple (different) LDAP servers and authorisation
Stewart James wrote:
> I have been roped in to look over an issue we have with migrating from
> Novell to AD.
Repeat after me: AD is not an LDAP server.
It's not. It fakes it pretty well, but it's not.
> As I stated earlier authentication fall through works like a treat (if
> in the users file I don’t specify an LDAP-Group authentication works).
> If I only specify 1 ldap server to do authentication and authorisation,
> everything works, its only when I try to do authorisation via LDAP-Group
> AND try to do authorisation fall through as documentation above do I
> start getting errors.
If you are trying to use LDAP to obtain the "known good" password from
AD, it's impossible.
> rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter
> (samaccountname=USERNAME)
..
> rlm_ldap: looking for check items in directory...
>
> rlm_ldap: looking for reply items in directory...
Nothing. i.e. The user was found, but *nothing* more than that was found.
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
The server doesn't know how to authenticate the user, so the user is
rejected.
Please explain a little more what you're trying to do, and what you
expect to see where. Right now, you're trying to debug a solution.
Instead, focus on the problem, and the solution may be simple (or
impossible).
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
