Re: proxying / realms / users file
Hello Alan, thanks for your help all the time. Proxying works fine now. Alan DeKok wrote: Benedikt Panzer wrote: I tried with this users file: DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := "students" You're telling the server to use LDAP *always*, and to *never* proxy the request. Please read the "man" page for the "users" file. Ok, I assume that a requests isn't proxyed if its Auth-Type is set to ldap. To prevent this, I could delete the first line and just write: DEFAULT Proxy-To-Realm := "students" Then the ldap module is still queried (and returns ok - that's fine) but all requests are forwareded. However, I want to forward only those users that are not in the ldap. I also thought about the modifiers I used and also tried different ones. That doesn't seem to be the problem. Is there any check item I could use to constrain the forwarding? I think of a attribute that is set when ldap was able to authenticate the user. I tried: DEFAULT Auth-Type != LDAP, Proxy-To-Realm := "students" This doesn't change anything. Auth-Type doesn't seem to be set by the ldap module. I'm still not sure whether Fall-Through could help in this situation. The documentation says: The entries are processed in order, from the top of the users file, on down. If an entry [machtes and] contains the special item Fall-Through = No as a reply attribute, then the processing of the file stops, and no more entries are matched. Does this mean that only the check items have to match or that e.g. the user has also to exist in the ldap? Anyway, this users file didn't work any better than those above: DEFAULT Auth-Type = LDAP Fall-Through = Yes DEFAULT Proxy-To-Realm := "students" By searching the mailing list I found a hint about failover configuration and spend almost a day with reading and trying this. But now I think that doesn't help to reach my aim. Or does it? (Nevertheless I was really impressed by the power and flexibility of the authorize and authenticate sections in radius.conf. That's really great - if you need it ;-) Cheers, Benedikt
Re: proxying / realms / users file
Benedikt Panzer [EMAIL PROTECTED] wrote: Ok, I assume that a requests isn't proxyed if its Auth-Type is set to ldap. To prevent this, I could delete the first line and just write: /DEFAULT Proxy-To-Realm := students/ Then the ldap module is still queried For the *authorize* section, not for *authentication*. /DEFAULT Auth-Type != LDAP, Proxy-To-Realm := students/ You're still confusing authorize with authenticate. You can use doc/configurable_failover to say authorize via ldap, and if it returns notfound, then use files authorize { ... group { ldap { ok = return notfound = 1 } files } ... } I'm still not sure whether Fall-Through could help in this situation. No. Fall-Through is ONLY for the users file. By searching the mailing list I found a hint about failover configuration and spend almost a day with reading and trying this. But now I think that doesn't help to reach my aim. Or does it? (Nevertheless I was really impressed by the power and flexibility of the authorize and authenticate sections in radius.conf. That's really great - if you need it ;-) Many people do, which is why it's there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxying / realms / users file
Hallo once more, I don't want to annoy you, hopefully I'm getting closer... Alan DeKok wrote: Is local or system the correct value to forward requests by using realm NULL? Neither. First, is the realm NULL the preferred method to forward requests to another radius server? If so, I still need to figure out how to use it. After searching the mailing list archive I found a hint: DEFAULT Proxy-To-Realm := foo.com Is that how it works? Not with any Auth-Type? Does this also work if the username doesn't contain that realm? I tried with this users file: DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := students and this proxy.conf: realm students { type= radius authhost= uml1:1812 accthost= uml1:1813 secret= hidden } But then no requests are forwarded. The output of radiusd -X just shows rlm_realm: No '@' in User-Name = ben1812, looking up realm NULL rlm_realm: No such realm NULL which is correct, of course. But if I use this configuration... DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := NULL and this proxy.conf: realm NULL { type= radius authhost= uml1:1812 accthost= uml1:1813 secret= hidden } ... FR forwards all requests and rejects users that are in the local ldap. (That's my very problem.) Just like without Proxy-To-Realm. Apart from that, the doc file proxy says that the users file is being processed after the proxying. Does this mean that I don't have to configure the proxying in the users file at all? If I'm completely wrong again could you please give me hints where to search or what to look for? Thanks for your patience and helpfullness. Benedikt Panzer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxying / realms / users file
Benedikt Panzer [EMAIL PROTECTED] wrote: First, is the realm NULL the preferred method to forward requests to another radius server? That depends on your system. If so, I still need to figure out how to use it. After searching the mailing list archive I found a hint: DEFAULT Proxy-To-Realm := foo.com Is that how it works? Not with any Auth-Type? Yes. The home server authenticates the user. FreeRADIUS *could* have Auth-Type = Proxy, but that would be pointless. Does this also work if the username doesn't contain that realm? Yes. I tried with this users file: DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := students You're telling the server to use LDAP *always*, and to *never* proxy the request. Please read the man page for the users file. But if I use this configuration... DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := NULL and this proxy.conf: realm NULL { type= radius authhost= uml1:1812 accthost= uml1:1813 secret= hidden } ... FR forwards all requests and rejects users that are in the local ldap. (That's my very problem.) Just like without Proxy-To-Realm. At this point, I don't believe you. Or, the configuration you quoted above is NOT what you're actually running. You've re-typed it, rather than quoting it, and what you've posted here is NOT what is running in your server. If you don't describe your system accurately, it's impossible to help you. Apart from that, the doc file proxy says that the users file is being processed after the proxying. Does this mean that I don't have to configure the proxying in the users file at all? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html