19.01.09, 12:30, "Alan DeKok" <[email protected]>:
> Куприянов Максим wrote:
> > I'm using FreeRadius 2.1.3 with LDAP (eDirectory) and plain-text (users
> > file) backends and I don't know how to solve a couple of problems :(
> How do you tell the users apart?
> > 1. Is possible to mix users with same names, but different passwords from
> > LDAP and from users file? There are some old time users in my org, who
> > don't belong to eDirectory tree and there are users in eDirectory with same
> > names that should not be treated like old-time ones.
> Maybe.
I'm sure they have different passwords (password policy is different), but I
don't understand how to configure the logic "First try to authenticate to
eDirectory with User-Password, if it fails - try plain-text comparison with
Clear-Password attribute, which was set in users file".
> > 2. I need some special DEFAULT with Fall-Through=yes rules that should
> > match only users, authenticated by LDAP backend. I've tried Ldap-UserDn in
> > check section of users file, but it seems to me, that Ldap-UserDn attribute
> > is empty everytime :(
> Don't use the "users" file for this. See "man unlang".
Thanks for hint, I'll take a look.
> > 3. Also i need a reject rule for those users, who was authenticated by LDAP
> > and do not belong to any ldap-group. I've tried Ldap-Group !*, but this
> > attribute always exists for every user :(
> I'm not sure how you would do that. Maybe do an LDAP query for group
> membership, and check if the returned string is empty.
It will not work :-(. He're is a quote from rlm_ldap.c:ldap_groupcmp():
if (check->vp_strvalue == NULL || check->length == 0){
DEBUG("rlm_ldap::ldap_groupcmp: Illegal group name");
return 1;
}
> Alan DeKok.
---
Sincerely yours,
Maxim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
