Hi there,I have a handler (as shown below) that was performing an LDAP lookup for a userid, then stripping the password and handing off to a duo RADIUS proxy that would then take care of MFA.
However, one day I switched my LDAP server off which caused a bit of chaos ;-) no problem, lets put another LDAP server in and change the 'ContinueWhileAccept' to control the policy to something else..
What I am trying to do optimally isTry LDAP entry 1, if this passes, jump to MFA, if this passes then return accept
If LDAP 1 returns reject, then return reject. HOWEVERIf LDAP entry 1 fails with a timeout, try LDAP entry 2, if this passes jump to MFA if this passes then return reject
If LDAP 2 returns a reject then return reject I'm unsure how to do this though, it would be like Policy = ContinueWhileAccept (Do LDAP Group) Do RADIUS group LDAP Group Policy = ContinuewhileIgnore Do LDAP 1 Do LDAP 2 IS it possible to perform nested auth policies like this? Thanks in advance.. -- handler config -- <Handler User-Name=/^username\d*/> RewriteUsername tr/A-Z/a-z/ RewriteUsername s/^([^@]+).*/$1/ PreAuthHook file:"%D/hooks/PreAuthHook-PasswordDebug.pl" AuthByPolicy ContinueWhileIgnore <AuthBy LDAP2> Host 1.2.3.4 Port 3268 AuthDN %{LDAPDN:%U}@example.com AuthPassword %P Timeout 5 FailureBackoffTime 600 BaseDN ou=example users,dc=example,dc=com Scope sub ServerChecksPassword UnbindAfterServerChecksPassword UsernameAttr sAMAccountName AuthAttrDef logonHours,MS-Login-Hours,check # Get user group memberships from this attribute GroupMembershipAttr memberOf # This post search hook performs the magic that # matches a user, group and device and sets reply # attributes. PostSearchHook file:"%D/hooks/PostSearchHook-GroupCheck.pl" </AuthBy> <AuthBy LDAP2> Host 1.2.2.4 Port 3268 AuthDN %{LDAPDN:%U}@example.com AuthPassword %P Timeout 5 FailureBackoffTime 600 BaseDN ou=example users,dc=example,dc=com Scope sub ServerChecksPassword UnbindAfterServerChecksPassword UsernameAttr sAMAccountName AuthAttrDef logonHours,MS-Login-Hours,check # Get user group memberships from this attribute GroupMembershipAttr memberOf # This post search hook performs the magic that # matches a user, group and device and sets reply # attributes. PostSearchHook file:"%D/hooks/PostSearchHook-GroupCheck.pl" </AuthBy> <AuthBy RADIUS> # Reset the user-password to something incorrect ForwardHook file:"%D/hooks/ForwardHook-ReplacePassword.pl" # Append a Filter-ID and host nameAddToRequestIfNotExist Calling-Station-Id=1,Login-IP-Host=%h
# Same secret and timeout for all hosts Secret MyDuoSecret RetryTimeout 60 Host duo-server1.example.com Host duo-server2.example.com AuthPort 1815 </AuthBy> <AcctLog FILE> Filename %L/%Y%m%d_accounting.log OutputFormat json </AcctLog> </Handler>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator