David De Maeyer <[EMAIL PROTECTED]> wrote: > In our case doing so gives some problems. First of all we > authenticate our users via the users file and via our LDAP > server.
No. The 'users' file AUTHORIZES the users. It doesn't authenticate anyone. > If the user is not found in the users file then Radius tries > via the LDAP server. It works fine. But of course we do not need to > authenticate the user WhistleBlower via LDAP. It unnecessary fills > the log file with: > > Mon Feb 24 10:53:27 2003 : Auth: Login incorrect (rlm_ldap: User not found): > [WhistleBlower] (from client YYY port 1) Then disable logging of failed authentication requests. > What I did than is to create a user WhistleBlower a the beginning of > the users file using the "Auth-Type := Reject" attribute. Starting > radiusd in debug mode and using radtest I tested that user and > access was rejected as expected and radiusd didn't make use of the > rlm_ldap module: ... And you provided the output of 'radtest' NOT the output of the server. So you have no idea whether or not that test used the LDAP module. > But when starting radiusd normally it seems that it still tries to > authenticate the WhistleBlower user against the LDAP server. I'll bet money that the same thing happens for the test you posted above. > It seems to me that Radius ignores the WhistleBlower user defined at > the beginning of the users file: No. What's happening is that the 'files' module (which administers the 'users' file) is returning 'OK' from the 'authorize' section. Since you configured the user to be rejected, it would be better for the module to return REJECT. The server would then immediately stop processing the request, and reject the user. > clients file is organized as: > 1. WhistleBlower user > 2. Local users > 3. DEFAULT LDAP authentication None of those things go into the 'clients' file. The solution is to fix the 'files' module to return 'reject'. The patch is small. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
