On Tue, 2002-03-12 at 09:36, Dan Perik wrote:
> On Tue, 2002-03-12 at 01:29, Alan DeKok wrote:
> > Dan Perik <[EMAIL PROTECTED]> wrote:
> > > Now, I'd like to extend that and allow FreeRadius to also try SQL
> > > auth. So it would try LDAP first, and if the user isn't found (or
> > > even on a bad password), I would like FreeRadius to then try to auth
> > > against sql. Is this possible, and if so how?
> >
> > See 'doc/configurable_failover'
> >
> > Alan DeKok.
>
> Excellent. Works beautifully. Thank you.
>
> - Dan
Before I start, I'm using FreeRadius 0.4 on RH 7.2, kernel 2.4.9.
Actually, it didn't work beautifully (using a "redundant" block). The
LDAP worked, but the SQL didn't. Since I was pointed in the right
direction, I figured I'd hack on it to figure out why not. Well, I just
(finally) got it working. I thought if anyone else would like to do
something similar, they could benefit from my findings.
First, I had trouble getting sql authentication working. Come to find
out, I turned sqltrace = yes in sql.conf. But since I didn't initially
create and change owner ship of the default sqltracefile, the sql module
would silently fail when doing authentication.
Then, according to the configurable_failover docs, I could use
"redundant" to group sql and ldap together. But "redundant" is for two
data stores that have the same user data in it (or so I understand). I
want to have two user data stores, one LDAP (CommuniGate Pro mail
server), and the other SQL (MySQL specifically). The problem is that
the first "module" would fail. According to configurable_failover, a
failure returned from the whole "redundant" group, so I needed to
specifically specify the actions required from each return. I include
that section from the authentication "group" here. Notice that "reject"
is not return, but rather "3". This was the key change to get this to
work.:
authtype LDAPORSQL {
group {
sql {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = 3
userlock = return
invalid = return
handled = return
notfound = return
}
ldap {
fail = 1
notfound = 2
noop = return
ok = return
updated = return
reject = 3
userlock = return
invalid = return
handled = return
notfound = return
}
}
}
Now, I can authenticate to a user found in LDAP *or* SQL. And it seems
to work very well.
Thank you to the FreeRadius developers. A very good product.
- Dan
--
- Dan Perik
Computer Services Department
Lapilo Center
New Tribes Mission - PNG
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
