Hi all, I am trying to get both authentication and authorisation through LDAP. While authentication works, authorisation still evades me. Ideas anybody ?
Regards, Michael Fuller ----- Original Message ----- From: "Kostas Kalevras" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 28, 2002 5:14 PM Subject: Re: Authorization via LDAP & Authentication via PAM > On Tue, 28 May 2002, Allister Maguire wrote: > > > Hello, > > > > I have got this working by setting: > > > > DEFAULT Auth-Type := pam > > Fall-Through = 1 > > > > In the users file. > > > > I also want to restrict dialin access to certain ldap users, so I > > changed the ldap filter: > > > > filter = "(&(uid=%u)(msNPAllowDialin=TRUE))" > > > > In the ldap {} module. > > > > Only problem is if I set msNPAllowDialin=FALSE, they still get a > > Access-Accept because the files, pam module return ok (I think). > > You could also use the access_attr configuration directive. Then the module will > return reject (well actually userlock) instead of notfound. > > > > > > > > > modcall[authorize]: module "ldap" returns notfound > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type pam > > auth: type "Pam" > > modcall: entering group authenticate > > pam_pass: using pamauth string <radiusd> for pam.conf lookup > > pam_pass: authentication succeeded for <ssaint> > > modcall[authenticate]: module "pam" returns ok > > modcall: group authenticate returns ok > > Sending Access-Accept of id 1 to 127.0.0.1:32826 > > Finished request 1 > > Going to the next request > > Thread 2 waiting to be assigned a request > > > > > > How many need to fail, for the Access-Request to fail? > > Check out the doc/configurable_failover. You could do something like this in > your authorize section: > > authorize{ > ldap{ > notfound = return > } > [...] > } > > Hope it helps > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 10 7721861 > 'Go back to the shadow' Gandalf > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html