Thanks Phil > 1. For PAP, you can authenticate the user by asking the LDAP module to > to an LDAP simple bind with the pap username/password > 2. For MS-CHAP, you install samba, join the domain, and use the > "ntlm_auth" helper binary in the mschap module
Option 1 is the way things are being handled at the moment (LDAP simple bind)
and I should probably mention no radius specific schema.
Half my problem here is that I am totally new to radius of any type, but,
Alan's mention before of retrieving the password had me start to look at how
things are being done at the moment. I was nicely confused because the current
configuration does check for group memberships on the Novell LDAP server BUT it
had no lines in the authorize section saying to actually check for groups. This
is when I came to the conclusion that LDAP-Group == "something" was this funky
lookup for authorisation by files detecting the LDAP-Group directive and
getting the ldap module to do a lookup.
I have also learnt that the LDAP module also sets up direct access to the ldap
servers, so AD-LDAP-Group and Novell-LDAP-Group can be referenced in the users
file e.g.
DEFAULT Auth-Type=LDAP, AD-LDAP-Group == "somegoup"
Pass-Through=Yes
DEFAULT Auth-Type=LDAP, Novell-LDAP-Group == "somegoup"
Pass-Through=Yes
And with a authenticate section like:
authenticate {
...
Auth-Type LDAP {
AD {
notfound=2
}
Novell {
notfound=2
}
}
...
}
This does have the desired effect, if I log into the system with an AD
user/pass (who is in "somegroup") I can login, if I authenticate with a Novell
user/pass, it fails on the first "DEFAULT" entry, but, passes down to the
novell entry. The Auth-Type LDAP section handles itself quite nicely for
authentication and does a search for DN and if not found failes down to the
Novell server. Of course if/when it finds the users DN, it then does an LDAP
Simple bind.
If I set it up so there is just one line in the users file:
DEFAULT Auth-Type=LDAP, LDAP-Group == "somegoup"
Pass-Through=Yes
Radius only checks the first ldap server (configured in the module section). If
it fails (e.g. the first ldap server is Novell and you are trying to
authenticate an AD user), it never goes on to check any other servers.
And that is just about the top to bottom of my entire freeradius knowledge.
I am now down to trying to figure out how to control the LDAP-Group membership
lookup in a way that does not mean adding additional entries to the users file,
I get the feeling this would not scale too well and that I would not be able to
give any redundancy, either that or there would need to be a "DEFAULT" entry
for each LDAP server (So if you have 4 AD servers and 4 novell servers that
would be a total of 8 entries in the users file)
The above solution would probably work just fine for our purposes - we are only
talking about a 6 month window of having both directory services - I always
like to try and be complete, if only for someone else doing something similar
in 5 years time :)
I also have to apoligise, I am at home with "outlook web^H^H^HIE access", so I
hope things comes out correctly...of course any spelling mistakes are purely
the fault of the webmail client ;)
Cheers,
Stewart
<<winmail.dat>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
