Re: Authorization via LDAP & Authentication via PAM

Tue, 28 May 2002 20:54:54 -0700 

Hi all,

I am trying to get both authentication and authorisation through LDAP. While
authentication works, authorisation still evades me. Ideas anybody ?

Regards,
Michael Fuller

----- Original Message -----
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 28, 2002 5:14 PM
Subject: Re: Authorization via LDAP & Authentication via PAM


> On Tue, 28 May 2002, Allister Maguire wrote:
>
> > Hello,
> >
> > I have got this working by setting:
> >
> > DEFAULT Auth-Type := pam
> >         Fall-Through = 1
> >
> > In the users file.
> >
> > I also want to restrict dialin access to certain ldap users, so I
> > changed the ldap filter:
> >
> > filter = "(&(uid=%u)(msNPAllowDialin=TRUE))"
> >
> > In the ldap {} module.
> >
> > Only problem is if I set msNPAllowDialin=FALSE, they still get a
> > Access-Accept because the files, pam module return ok (I think).
>
> You could also use the access_attr configuration directive. Then the
module will
> return reject (well actually userlock) instead of notfound.
>
> >
> >
> >
> >   modcall[authorize]: module "ldap" returns notfound
> > modcall: group authorize returns ok
> >   rad_check_password:  Found Auth-Type pam
> > auth: type "Pam"
> > modcall: entering group authenticate
> > pam_pass: using pamauth string <radiusd> for pam.conf lookup
> > pam_pass: authentication succeeded for <ssaint>
> >   modcall[authenticate]: module "pam" returns ok
> > modcall: group authenticate returns ok
> > Sending Access-Accept of id 1 to 127.0.0.1:32826
> > Finished request 1
> > Going to the next request
> > Thread 2 waiting to be assigned a request
> >
> >
> > How many need to fail, for the Access-Request to fail?
>
> Check out the doc/configurable_failover. You could do something like this
in
> your authorize section:
>
> authorize{
> ldap{
> notfound = return
> }
> [...]
> }
>
> Hope it helps
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to