On Fri, 4 Oct 2002, Brendon Colby wrote:
> Greetings,
>
> We have a LDAP server with which we want to do authentication. I also
> want to use PAM to authenticate (if LDAP user doesn't exist check PAM).
> Here is what I have in radius.conf:
>
> authorize {
> files
> ldap {
> notfound = return
> }
> }
>
> authenticate {
> pam
> ldap
> }
>
> in the users file:
>
> DEFAULT Auth-Type := Pam
> Fall-Through = Yes
>
> DEFAULT Auth-Type := ldap
> Fall-Through = Yes
>
>
> I try logging in as a user that does not exist in LDAP (PAM auth).
> The authorize section returns not found, of course, and the authenticate
> section doesn't even try pam. The debug shows that it tries LDAP and
> then fails on the login, sending back an Access-Reject.
You always set Auth-Type to ldap in your users file. I would suggest something
like this (i haven't tested it though):
authenticate{
pam
ldap
}
authorize {
ldap
files
}
users file:
DEFAULT Auth-Type = Pam
That way if ldap finds the user it will set by default the Auth-Type to ldap
(the module handles that). If it returns notfound then the users file will set
Auth-Type to Pam.
doc/configurable_failover is very helpfull on this.
>
> I want it to try ldap first, then try PAM if the LDAP returns a user not
> found. Is this possible?
>
> Thanks.
>
> --
> Brendon Colby
> Systems Administrator
> Midcontinent Communications
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
