Re: Multiple LDAP (Not failover) lookup...

2006-11-09 Thread Eric Martell 
Thanks Alan.
  I figured it out. It should be 
ldap2 {
   notfound = reject
}

as ldap2 is returning notfound status.

Thanks so much again.


--- Alan DeKok [EMAIL PROTECTED] wrote:

 Eric Martell [EMAIL PROTECTED] wrote:
  Thanks so much Neal. You got it 95% right. The
 problem
  is FreeRadius always authorize first (no matter
 what
  the order in radiusd.conf) and then authenticate.
 
   Yes, that's how the server works.
 
  (This authorize should break the sequence and
  return FAIL. I tried ldap2 { fail = return } but
 no
  help...still returns notfound )
 
   See doc/configurable_failover.  You may want:
 
 ...
   ldap2 {
   fail = reject
   }
 ...
 
  Technically it should authenticate and then
 authorize
  and send the group response (AND) of both.
 
   Then... configure it to do that.  The default
 behavior is that a
 notfound error is NOT fatal, because another
 module or database may
 find the user.
 
   Alan DeKok.
 --
   http://deployingradius.com   - The web site of
 the book
   http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 



 

Cheap talk?
Check out Yahoo! Messenger's low PC-to-Phone call rates.
http://voice.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Multiple LDAP (Not failover) lookup...

2006-11-07 Thread Eric Martell 
Hi...
   I need to do multiple ldap lookups (2).. The
purpose of both the ldaps are different so it does not
abide with configurable_failover scenario in a way.

ldap1.
  This ldap is solely used for authentication for
given user. 

ldap2. 
  This ldap is solely used for checking ldap attribute
ex. productCode for given user.

User exists in BOTH The ldaps but in ldap2 we don't
store the password hash. So its just userid with given
attributes.

Here is what should happen for a given user.

If(authentication in ldap1 success) {
if(productCode attribute exists in ldap2 success) {
return Access-Accept.   
} else {
return Access-Reject.
}
} else {
return Access-Reject.
}

Any inputs will be greatly appreciated.

Thanks in advance.



 

Sponsored Link

Try Netflix today! With plans starting at only $5.99 a month what are you 
waiting for?
http://www.netflix.com/Signup?mqso=80010030
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Multiple LDAP (Not failover) lookup...

2006-11-07 Thread Garber, Neal 
 If(authentication in ldap1 success) {

Use ldap1 in the authenticate stage of radiusd.conf

   if(productCode attribute exists in ldap2 success) {

Use ldap2 in the authorize stage of radiusd.conf

Authorize is performed first in FreeRadius (you show authenticate
First), but it shouldn't matter for what you're trying to do.  
Configure ldap.attrmap to obtain the productCode attribute.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Multiple LDAP (Not failover) lookup...

2006-11-07 Thread Eric Martell 
Thanks so much Neal. You got it 95% right. The problem
is FreeRadius always authorize first (no matter what
the order in radiusd.conf) and then authenticate.

authorize {
   .
   .
   .
   ldap2
}

authenticate {
   .
   .
   .
   ldap1 
}

So if the user fails in ldap2 ..module ldap2 returns
notfound for request user xyz and thus continues to
authentication module. 

(This authorize should break the sequence and
return FAIL. I tried ldap2 { fail = return } but no
help...still returns notfound )

And same user in ldap1 returns ok for request user
xyz in authentication.

Finally FreeRadius returns Sending Access-Accept
(Status of ldap1 auth) to the request.

Technically it should authenticate and then authorize
and send the group response (AND) of both.

Please let me know.
Thanks in advance.



--- Garber, Neal [EMAIL PROTECTED] wrote:

  If(authentication in ldap1 success) {
 
 Use ldap1 in the authenticate stage of radiusd.conf
 
  if(productCode attribute exists in ldap2 success)
 {
 
 Use ldap2 in the authorize stage of radiusd.conf
 
 Authorize is performed first in FreeRadius (you show
 authenticate
 First), but it shouldn't matter for what you're
 trying to do.  
 Configure ldap.attrmap to obtain the productCode
 attribute.
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 




 

Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail.
http://new.mail.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple LDAP (Not failover) lookup...

2006-11-07 Thread Alan DeKok 
Eric Martell [EMAIL PROTECTED] wrote:
 Thanks so much Neal. You got it 95% right. The problem
 is FreeRadius always authorize first (no matter what
 the order in radiusd.conf) and then authenticate.

  Yes, that's how the server works.

 (This authorize should break the sequence and
 return FAIL. I tried ldap2 { fail = return } but no
 help...still returns notfound )

  See doc/configurable_failover.  You may want:

...
  ldap2 {
fail = reject
  }
...

 Technically it should authenticate and then authorize
 and send the group response (AND) of both.

  Then... configure it to do that.  The default behavior is that a
notfound error is NOT fatal, because another module or database may
find the user.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html