On Fri, 4 Oct 2002, Brendon Colby wrote: > Greetings, > > We have a LDAP server with which we want to do authentication. I also > want to use PAM to authenticate (if LDAP user doesn't exist check PAM). > Here is what I have in radius.conf: > > authorize { > files > ldap { > notfound = return > } > } > > authenticate { > pam > ldap > } > > in the users file: > > DEFAULT Auth-Type := Pam > Fall-Through = Yes > > DEFAULT Auth-Type := ldap > Fall-Through = Yes > > > I try logging in as a user that does not exist in LDAP (PAM auth). > The authorize section returns not found, of course, and the authenticate > section doesn't even try pam. The debug shows that it tries LDAP and > then fails on the login, sending back an Access-Reject.
You always set Auth-Type to ldap in your users file. I would suggest something like this (i haven't tested it though): authenticate{ pam ldap } authorize { ldap files } users file: DEFAULT Auth-Type = Pam That way if ldap finds the user it will set by default the Auth-Type to ldap (the module handles that). If it returns notfound then the users file will set Auth-Type to Pam. doc/configurable_failover is very helpfull on this. > > I want it to try ldap first, then try PAM if the LDAP returns a user not > found. Is this possible? > > Thanks. > > -- > Brendon Colby > Systems Administrator > Midcontinent Communications > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html