Thanks Alan for the info. By using the if statement I was able to stop the processing of the request. However I need to do more research and communicating with our AD or our NPS server. However since that doesn't involve the subject of this message I would start another question without 'stop authorization' in the subject line.
Thanks again. -----Original Message----- From: freeradius-users-bounces+bwedel=cr.k12.ia...@lists.freeradius.org [mailto:freeradius-users-bounces+bwedel=cr.k12.ia...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, January 22, 2013 1:22 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.2.0 stop authorization Wedel Blake wrote: > ... What I want to do is setup ldap to authenticate against our Windows 2010 > server where the computers are a part of the domain. AD isn't really an LDAP server. You'll probably need to run Samba. See: http://deployingradius.com/documents/configuration/active_directory.html > I would like for it to query mysql first and then query ldap if it didn't > find the computer in mysql. authorize { ... sql if (notfound) { ldap } ... } Should work for PAP requests. (User-Name / User-Password) > If I remove ldap for the defaults file I get an Access-Accept reply as > expected. It just that if there is anything after sql in the defaults file > then it will continue on to try and authenticate against another module. Use the configuration I posted above. It should help. > Below you can see a simple query with 'blake' being sent as both the > user-name and password. It queries the db and finds it (as expected). > However it continues to go to ldap and tries to find it to which I get an > error. Read raddb/modules/ldap. Look for "operations error" > I understand that I don't have ldap working properly right now. However, > first I just want to get the logic setup to where after finding a name in > mysql it will stop and reply back with an Access-Accept and not query ldap. > Is there a setting you have to put in a conf file? It's a policy you write. There is no "setting" to do if/then/else programming. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
