thanks for your help all the time. Proxying works fine now.
Alan DeKok wrote:
Benedikt Panzer wrote:I tried with this users file: DEFAULT Auth-Type := LDAP DEFAULT Proxy-To-Realm := "students"You're telling the server to use LDAP *always*, and to *never* proxy the request. Please read the "man" page for the "users" file.
Ok, I assume that a requests isn't proxyed if its Auth-Type is set to ldap. To prevent this, I could delete the first line and just write:
DEFAULT Proxy-To-Realm := "students"Then the ldap module is still queried (and returns ok - that's fine) but all requests are forwareded. However, I want to forward only those users that are not in the ldap. I also thought about the modifiers I used and also tried different ones. That doesn't seem to be the problem.
Is there any check item I could use to constrain the forwarding? I think of a attribute that is set when ldap was able to authenticate the user. I tried:
DEFAULT Auth-Type != LDAP, Proxy-To-Realm := "students"This doesn't change anything. Auth-Type doesn't seem to be set by the ldap module.
I'm still not sure whether Fall-Through could help in this situation. The documentation says:
The entries are processed in order, from the top of the users file, on down.
If an entry [machtes and] contains the special item Fall-Through = No as a reply attribute,
then the processing of the file stops, and no more entries are matched.
Does this mean that only the check items have to match or that e.g. the user has also to exist in the ldap?
Anyway, this users file didn't work any better than those above:
DEFAULT Auth-Type = LDAP
Fall-Through = Yes
DEFAULT Proxy-To-Realm := "students"
By searching the mailing list I found a hint about failover configuration and spend almost a day with reading and trying this. But now I think that doesn't help to reach my aim. Or does it? (Nevertheless I was really impressed by the power and flexibility of the authorize and authenticate sections in radius.conf. That's really great - if you need it ;-)
Cheers, Benedikt
