Hi there,I have a handler (as shown below) that was performing an LDAP lookup for a userid, then stripping the password and handing off to a duo RADIUS proxy that would then take care of MFA.
However, one day I switched my LDAP server off which caused a bit of chaos ;-) no problem, lets put another LDAP server in and change the 'ContinueWhileAccept' to control the policy to something else..
What I am trying to do optimally isTry LDAP entry 1, if this passes, jump to MFA, if this passes then return accept
If LDAP 1 returns reject, then return reject. HOWEVERIf LDAP entry 1 fails with a timeout, try LDAP entry 2, if this passes jump to MFA if this passes then return reject
If LDAP 2 returns a reject then return reject
I'm unsure how to do this though, it would be like
Policy = ContinueWhileAccept
(Do LDAP Group)
Do RADIUS group
LDAP Group
Policy = ContinuewhileIgnore
Do LDAP 1
Do LDAP 2
IS it possible to perform nested auth policies like this?
Thanks in advance..
-- handler config --
<Handler User-Name=/^username\d*/>
RewriteUsername tr/A-Z/a-z/
RewriteUsername s/^([^@]+).*/$1/
PreAuthHook file:"%D/hooks/PreAuthHook-PasswordDebug.pl"
AuthByPolicy ContinueWhileIgnore
<AuthBy LDAP2>
Host 1.2.3.4
Port 3268
AuthDN %{LDAPDN:%U}@example.com
AuthPassword %P
Timeout 5
FailureBackoffTime 600
BaseDN ou=example users,dc=example,dc=com
Scope sub
ServerChecksPassword
UnbindAfterServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
# Get user group memberships from this attribute
GroupMembershipAttr memberOf
# This post search hook performs the magic that
# matches a user, group and device and sets reply
# attributes.
PostSearchHook file:"%D/hooks/PostSearchHook-GroupCheck.pl"
</AuthBy>
<AuthBy LDAP2>
Host 1.2.2.4
Port 3268
AuthDN %{LDAPDN:%U}@example.com
AuthPassword %P
Timeout 5
FailureBackoffTime 600
BaseDN ou=example users,dc=example,dc=com
Scope sub
ServerChecksPassword
UnbindAfterServerChecksPassword
UsernameAttr sAMAccountName
AuthAttrDef logonHours,MS-Login-Hours,check
# Get user group memberships from this attribute
GroupMembershipAttr memberOf
# This post search hook performs the magic that
# matches a user, group and device and sets reply
# attributes.
PostSearchHook file:"%D/hooks/PostSearchHook-GroupCheck.pl"
</AuthBy>
<AuthBy RADIUS>
# Reset the user-password to something incorrect
ForwardHook file:"%D/hooks/ForwardHook-ReplacePassword.pl"
# Append a Filter-ID and host name
AddToRequestIfNotExist
Calling-Station-Id=1,Login-IP-Host=%h
# Same secret and timeout for all hosts Secret MyDuoSecret RetryTimeout 60 Host duo-server1.example.com Host duo-server2.example.com AuthPort 1815 </AuthBy> <AcctLog FILE> Filename %L/%Y%m%d_accounting.log OutputFormat json </AcctLog> </Handler>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator
