Re: authenticating multiple modules?
Tim Tyler wrote: > Alan, Ivan, >Thanks! Between both of your comments, I was able to put two and > two together and get both modules working. I would never have > guessed that one needs to create the groups in the passwd module. It > simply isn't intuitive to use the passwd module for doing this. One > would think that each module (unix and ldap in my case) could work in > tandem. What does that mean? i.e. You want them to work in tandem in a certain way... others want something different. That being said, in the CVS head (soon to be 2.0, I hope), the modules are much better at "just figuring it out". In 2.0, you will likely have to do much less configuration to get it to work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Alan, Ivan,
Thanks! Between both of your comments, I was able to put two and
two together and get both modules working. I would never have
guessed that one needs to create the groups in the passwd module. It
simply isn't intuitive to use the passwd module for doing this. One
would think that each module (unix and ldap in my case) could work in
tandem. Any ways, it seem to be working with these two passwd modules:
passwd staff {
filename = /etc/raddb/unixusers
format = "*User-Name"
authtype = unix
}
passwd students {
filename = /etc/raddb/ldapusers
format = "*User-Name"
authtype = ldap
}
Thanks!
Tim
At 11:57 AM 3/13/2007, you wrote:
>Tim Tyler wrote:
> > Ivan, or others,
> >Ok, I can't seem to find documentation on
> > this. If I don't use the users file, I presume I
> > should create the groups in the radiusd.conf
> > file. How does one create a group for Students
> > and Staff (syntax)?
>
> "man rlm_passwd"
>
> > Can I assign Auth-Type =
> > System for Staff and Auth-Type = LDAP for Staff
> > and have a request against both groups?
>
> Yes.
>
> Note,
> > there is no way ahead of time to distinguish
> > between a user that is staff or student. So I
> > need the solution to first check the system file and then check
> against ldap.
>
> No.
>
> I presume you don't have the same username for a staff & student. In
>that case, you can do LDAP lookups to see if they're in LDAP. If so,
>use LDAP. If not, they should be in /etc/passwd.
>
> Alan DeKok.
>--
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Tyler
Network Engineer - Beloit College
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Tim Tyler wrote: > Ivan, or others, >Ok, I can't seem to find documentation on > this. If I don't use the users file, I presume I > should create the groups in the radiusd.conf > file. How does one create a group for Students > and Staff (syntax)? "man rlm_passwd" > Can I assign Auth-Type = > System for Staff and Auth-Type = LDAP for Staff > and have a request against both groups? Yes. Note, > there is no way ahead of time to distinguish > between a user that is staff or student. So I > need the solution to first check the system file and then check against ldap. No. I presume you don't have the same username for a staff & student. In that case, you can do LDAP lookups to see if they're in LDAP. If so, use LDAP. If not, they should be in /etc/passwd. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Ivan, No unfortunately it doesn't work that way, though I wish it did because that would be easy. I can't get system to authenticate with that config which works fine if I comment out the ldap line. Alan Dekok mentioned this: " pull the password from LDAP, and let the server decide how the user should be authenticated. You could also set Auth-Type *conditionally*, if the user was in one group or another." However, I am not able to find examples of how to get his suggestions to work yet. I saw someone else trying to set up groups in the huntgroup so maybe I should investigate that route more. But I don't have particular nas's to group by so I am not sure how to group things. When a request comes in from different sources, its random as to whether it will be a staff or student. I just need the solution to query both the system and ldap for authentication. Tim t 07:21 PM 3/12/2007, you wrote: >Hi Tim, > >No "others" so I'll try. > >I assume that it should work like this: > >DEFAULT Auth-Type := System > Fall-Through = Yes > >DEFAULT Auth-Type := LDAP > >I think that users will be checked against the system first and if not >found against LDAP. Take this with a pinch of salt - I never used users >file, System or LDAP, only MySQL. > >Ivan Kalik >Kalik Informatika ISP > > >Dana 12/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> pi¹e: > > >Ivan, or others, > > Ok, I can't seem to find documentation on > >this. If I don't use the users file, I presume I > >should create the groups in the radiusd.conf > >file. How does one create a group for Students > >and Staff (syntax)? Can I assign Auth-Type = > >System for Staff and Auth-Type = LDAP for Staff > >and have a request against both groups? Note, > >there is no way ahead of time to distinguish > >between a user that is staff or student. So I > >need the solution to first check the system > file and then check against ldap. > > Is there an example configuration somewhere I > >can follow that authenticates against a system file and ldap? > > > >Tim > > > > > >At 06:32 PM 3/9/2007, you wrote: > >>Don't put Auth-Type in users file. Make groups Students nad Staff, > >>assign users to them and put the Auth-Type you want for that group as > >>group check item. > >> > >>Ivan Kalik > >>Kalik Informatika ISP > >> > >> > >>Dana 9/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> pi¹e: > >> > >> >Freeradius experts, > >> >I want to use one freeradius server to authenticate against a > >> >system file for students and against ldap for faculty/staff. I can > >> >get the system file to work alone. I can get the ldap module to work > >> >alone. But I can't seem to find a way to get both of them to work > >> >together. If I set DEFAULT Auth-Type = System in the users file, it > >> >authenticates the system files. If I set it to ldap, it > >> >authenticates to ldap. If I put both in the users file, it > >> >authenticates ldap users only. How do I allow both unix and ldap > >> >modules to authenticate their respective users? Note: users are > >> >unique to each module. A user in unix does > >> not exist in ldap and vice versa. > >> > > >> > > >> > > >> >Tim Tyler > >> >Network Engineer - Beloit College > >> >[EMAIL PROTECTED] > >> > > >> > > >> >- > >> >List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > >> > > >> > >>- > >>List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > >Tim Tyler > >Network Engineer - Beloit College > >[EMAIL PROTECTED] > > > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Hi Tim, No "others" so I'll try. I assume that it should work like this: DEFAULT Auth-Type := System Fall-Through = Yes DEFAULT Auth-Type := LDAP I think that users will be checked against the system first and if not found against LDAP. Take this with a pinch of salt - I never used users file, System or LDAP, only MySQL. Ivan Kalik Kalik Informatika ISP Dana 12/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> piše: >Ivan, or others, > Ok, I can't seem to find documentation on >this. If I don't use the users file, I presume I >should create the groups in the radiusd.conf >file. How does one create a group for Students >and Staff (syntax)? Can I assign Auth-Type = >System for Staff and Auth-Type = LDAP for Staff >and have a request against both groups? Note, >there is no way ahead of time to distinguish >between a user that is staff or student. So I >need the solution to first check the system file and then check against ldap. > Is there an example configuration somewhere I >can follow that authenticates against a system file and ldap? > >Tim > > >At 06:32 PM 3/9/2007, you wrote: >>Don't put Auth-Type in users file. Make groups Students nad Staff, >>assign users to them and put the Auth-Type you want for that group as >>group check item. >> >>Ivan Kalik >>Kalik Informatika ISP >> >> >>Dana 9/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> piše: >> >> >Freeradius experts, >> >I want to use one freeradius server to authenticate against a >> >system file for students and against ldap for faculty/staff. I can >> >get the system file to work alone. I can get the ldap module to work >> >alone. But I can't seem to find a way to get both of them to work >> >together. If I set DEFAULT Auth-Type = System in the users file, it >> >authenticates the system files. If I set it to ldap, it >> >authenticates to ldap. If I put both in the users file, it >> >authenticates ldap users only. How do I allow both unix and ldap >> >modules to authenticate their respective users? Note: users are >> >unique to each module. A user in unix does >> not exist in ldap and vice versa. >> > >> > >> > >> >Tim Tyler >> >Network Engineer - Beloit College >> >[EMAIL PROTECTED] >> > >> > >> >- >> >List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >> > >> >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > >Tim Tyler >Network Engineer - Beloit College >[EMAIL PROTECTED] > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Ivan, or others, Ok, I can't seem to find documentation on this. If I don't use the users file, I presume I should create the groups in the radiusd.conf file. How does one create a group for Students and Staff (syntax)? Can I assign Auth-Type = System for Staff and Auth-Type = LDAP for Staff and have a request against both groups? Note, there is no way ahead of time to distinguish between a user that is staff or student. So I need the solution to first check the system file and then check against ldap. Is there an example configuration somewhere I can follow that authenticates against a system file and ldap? Tim At 06:32 PM 3/9/2007, you wrote: >Don't put Auth-Type in users file. Make groups Students nad Staff, >assign users to them and put the Auth-Type you want for that group as >group check item. > >Ivan Kalik >Kalik Informatika ISP > > >Dana 9/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> pi¹e: > > >Freeradius experts, > >I want to use one freeradius server to authenticate against a > >system file for students and against ldap for faculty/staff. I can > >get the system file to work alone. I can get the ldap module to work > >alone. But I can't seem to find a way to get both of them to work > >together. If I set DEFAULT Auth-Type = System in the users file, it > >authenticates the system files. If I set it to ldap, it > >authenticates to ldap. If I put both in the users file, it > >authenticates ldap users only. How do I allow both unix and ldap > >modules to authenticate their respective users? Note: users are > >unique to each module. A user in unix does > not exist in ldap and vice versa. > > > > > > > >Tim Tyler > >Network Engineer - Beloit College > >[EMAIL PROTECTED] > > > > > >- > >List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Tim Tyler wrote: > Freeradius experts, > I want to use one freeradius server to authenticate against a > system file for students and against ldap for faculty/staff. I can > get the system file to work alone. I can get the ldap module to work > alone. But I can't seem to find a way to get both of them to work > together. If I set DEFAULT Auth-Type = System in the users file, it > authenticates the system files. If I set it to ldap, it > authenticates to ldap. Which is why we recommend not using Auth-Type. Almost everyone uses it wrong. > If I put both in the users file, it > authenticates ldap users only. See "man rlm_users" for why. It's doing what you tell it to do, not what you expect it to do. > How do I allow both unix and ldap > modules to authenticate their respective users? Note: users are > unique to each module. A user in unix does not exist in ldap and vice versa. Don't authenticate people via LDAP. LDAP isn't an authentication server. It's a database. Instead, pull the password from LDAP, and let the server decide how the user should be authenticated. You could also set Auth-Type *conditionally*, if the user was in one group or another. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Don't put Auth-Type in users file. Make groups Students nad Staff, assign users to them and put the Auth-Type you want for that group as group check item. Ivan Kalik Kalik Informatika ISP Dana 9/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> piše: >Freeradius experts, >I want to use one freeradius server to authenticate against a >system file for students and against ldap for faculty/staff. I can >get the system file to work alone. I can get the ldap module to work >alone. But I can't seem to find a way to get both of them to work >together. If I set DEFAULT Auth-Type = System in the users file, it >authenticates the system files. If I set it to ldap, it >authenticates to ldap. If I put both in the users file, it >authenticates ldap users only. How do I allow both unix and ldap >modules to authenticate their respective users? Note: users are >unique to each module. A user in unix does not exist in ldap and vice versa. > > > >Tim Tyler >Network Engineer - Beloit College >[EMAIL PROTECTED] > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticating multiple modules?
Dana 9/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> piše: >Freeradius experts, >I want to use one freeradius server to authenticate against a >system file for students and against ldap for faculty/staff. I can >get the system file to work alone. I can get the ldap module to work >alone. But I can't seem to find a way to get both of them to work >together. If I set DEFAULT Auth-Type = System in the users file, it >authenticates the system files. If I set it to ldap, it >authenticates to ldap. If I put both in the users file, it >authenticates ldap users only. How do I allow both unix and ldap >modules to authenticate their respective users? Note: users are >unique to each module. A user in unix does not exist in ldap and vice versa. > > > >Tim Tyler >Network Engineer - Beloit College >[EMAIL PROTECTED] > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
