subject:"proxying \/ realms \/ users file"

Re: proxying / realms / users file

2004-09-02 Thread Benedikt Panzer





Hello Alan,

thanks for your help all the time. Proxying works fine now.

Alan DeKok wrote:

  Benedikt Panzer wrote:
  
  
I tried with this users file:
DEFAULT Auth-Type := LDAP
DEFAULT Proxy-To-Realm := "students"

  
  
You're telling the server to use LDAP *always*, and to *never* proxy
the request.  Please read the "man" page for the "users" file.
  


Ok, I assume that a requests isn't proxyed if its Auth-Type is set to
ldap. To prevent this, I could delete the first line and just write:
DEFAULT Proxy-To-Realm := "students"
Then the ldap module is still queried (and returns ok - that's fine)
but all requests are forwareded. However, I want to forward only those
users that are not in the ldap. I also thought about the modifiers I
used and also tried different ones. That doesn't seem to be the
problem. 
Is there any check item I could use to constrain the forwarding? I
think of a attribute that is set when ldap was able to authenticate the
user. I tried: 
DEFAULT Auth-Type != LDAP, Proxy-To-Realm := "students"
This doesn't change anything. Auth-Type doesn't seem to be set by the
ldap module.


I'm still not sure whether Fall-Through could help in this situation.
The documentation says:
The entries are processed in order, from the top of the users file,
on down. 
If an entry [machtes and] contains the special item Fall-Through = No
as a reply attribute, 
then the processing of the file stops, and no more entries are
matched. 
Does this mean that only the check items have to match or that e.g.
the user has also to exist in the ldap?
Anyway, this users file didn't work any better than those above:
DEFAULT Auth-Type = LDAP 
 Fall-Through = Yes
DEFAULT Proxy-To-Realm := "students"

By searching the mailing list I found a hint about failover
configuration and spend almost a day with reading and trying this. But
now I think that doesn't help to reach my aim. Or does it?
(Nevertheless I was really impressed by the power and flexibility of
the authorize and authenticate sections in radius.conf. That's really
great - if you need it ;-)

Cheers, Benedikt

Re: proxying / realms / users file

2004-09-02 Thread Alan DeKok

Benedikt Panzer [EMAIL PROTECTED] wrote:
 Ok, I assume that a requests isn't proxyed if its Auth-Type is set to 
 ldap. To prevent this, I could delete the first line and just write:
 
 /DEFAULT Proxy-To-Realm := students/
 
 Then the ldap module is still queried

  For the *authorize* section, not for *authentication*.

 /DEFAULT Auth-Type != LDAP, Proxy-To-Realm := students/

  You're still confusing authorize with authenticate.

  You can use doc/configurable_failover to say authorize via ldap,
and if it returns notfound, then use files

authorize {
...
  group {
ldap {
 ok = return
 notfound = 1
}

files
  }
...
}

 I'm still not sure whether Fall-Through could help in this situation. 

  No.  Fall-Through is ONLY for the users file.

 By searching the mailing list I found a hint about failover 
 configuration and spend almost a day with reading and trying this. But 
 now I think that doesn't help to reach my aim. Or does it? (Nevertheless 
 I was really impressed by the power and flexibility of the authorize and 
 authenticate sections in radius.conf. That's really great - if you need 
 it ;-)

  Many people do, which is why it's there.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

proxying / realms / users file

2004-08-31 Thread Benedikt Panzer

Hallo once more,
I don't want to annoy you, hopefully I'm getting closer...
Alan DeKok wrote:
Is local or system the correct value to forward requests by
using realm NULL?
   

Neither.
 

First, is the realm NULL the preferred method to forward requests to 
another radius server?
If so, I still need to figure out how to use it. After searching the 
mailing list archive I found a hint:
DEFAULT Proxy-To-Realm := foo.com
Is that how it works? Not with any Auth-Type?
Does this also work if the username doesn't contain that realm?

I tried with this users file:
DEFAULT Auth-Type := LDAP
DEFAULT Proxy-To-Realm := students
and this proxy.conf:
realm students {
   type= radius
   authhost= uml1:1812
   accthost= uml1:1813
   secret= hidden
}
But then no requests are forwarded. The output of radiusd -X just shows
   rlm_realm: No '@' in User-Name = ben1812, looking up realm NULL
   rlm_realm: No such realm NULL
which is correct, of course.
But if I use this configuration...
DEFAULT Auth-Type := LDAP
DEFAULT Proxy-To-Realm := NULL
and this proxy.conf:
realm NULL {
   type= radius
   authhost= uml1:1812
   accthost= uml1:1813
   secret= hidden
}
... FR forwards all requests and rejects users that are in the local 
ldap. (That's my very problem.) Just like without Proxy-To-Realm.

Apart from that, the doc file proxy says that the users file is being 
processed after the proxying. Does this mean that I don't have to 
configure the proxying in the users file at all?
If I'm completely wrong again could you please give me hints where to 
search or what to look for?

Thanks for your patience and helpfullness.
Benedikt Panzer

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxying / realms / users file

2004-08-31 Thread Alan DeKok

Benedikt Panzer [EMAIL PROTECTED] wrote:
 First, is the realm NULL the preferred method to forward requests to 
 another radius server?

  That depends on your system.

 If so, I still need to figure out how to use it. After searching the 
 mailing list archive I found a hint:
 DEFAULT Proxy-To-Realm := foo.com
 Is that how it works? Not with any Auth-Type?

  Yes.  The home server authenticates the user.  FreeRADIUS *could*
have Auth-Type = Proxy, but that would be pointless.

 Does this also work if the username doesn't contain that realm?

  Yes.

 I tried with this users file:
 DEFAULT Auth-Type := LDAP
 DEFAULT Proxy-To-Realm := students

  You're telling the server to use LDAP *always*, and to *never* proxy
the request.  Please read the man page for the users file.

 But if I use this configuration...
 DEFAULT Auth-Type := LDAP
 DEFAULT Proxy-To-Realm := NULL
 and this proxy.conf:
 realm NULL {
 type= radius
 authhost= uml1:1812
 accthost= uml1:1813
 secret= hidden
 }
 ... FR forwards all requests and rejects users that are in the local 
 ldap. (That's my very problem.) Just like without Proxy-To-Realm.

  At this point, I don't believe you.  Or, the configuration you
quoted above is NOT what you're actually running.  You've re-typed it,
rather than quoting it, and what you've posted here is NOT what is
running in your server.

  If you don't describe your system accurately, it's impossible to
help you.

 Apart from that, the doc file proxy says that the users file is being 
 processed after the proxying. Does this mean that I don't have to 
 configure the proxying in the users file at all?

  No.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: proxying / realms / users file

Re: proxying / realms / users file

proxying / realms / users file

Re: proxying / realms / users file

4 matches

Site Navigation

Mail list logo

Footer information