Hi folks,
I'm writing on a publication deadline and hoping to show how FreeRADIUS can solve an intriguing problem. Unfortunately so far I can't seem to get it to do the job.
My goal, ultimately, is to try to authorize users in both a local Samba PDC
(with an LDAP back end) and in another NT domain, WITHOUT forcing
the use of a domain name in the user name. For various reasons we (or
our readers) need to have two separate domains on the back end, but are trying to move away from forcing users to be aware of them. When people dial into the VPN we want them to be able to authorize with just their username
and their password, no domain name.
(Yes, of course, we're aware of the possibility of name conflicts.)
Now users are coming in with mschap2, so we pretty much need to use winbind and/or radius proxies for authenticating users in either domain. And we can do it -- for one or the other but not both. We have no trouble authenticating users on the Samba PDC with ldap-plus-winbind and we have no trouble authenticating users on the Windows domain with an IAS radius proxy. But we can't do both. A "user does not exist" response from either ends the whole ballgame.
I thought configurable_failover was the ticket to solve this problem.
But today I read this message from Alan DeKok:
http://lists.cistron.nl/pipermail/freeradius-users/2004-April/030193.html
Which says you can't proxy twice. And it sounds like you can't even try proxy when local gives a particular response or vice versa.
I have three questions:
1. Is this still the state of affairs? configurable_failover makes it possible to try a different LOCAL method (for instance, ldap after winbind) when the first method responds that the user does not exist (not the same thing as failing), but you can't do that with proxies?
2. Is this true even if the two methods I want to try are a proxy and a local method? Is it still true if I don't mind trying the local method first? I had hoped that might do the job, but no luck so far.
3. If I'm stuck on both counts, can the "ldap" authentication module be convinced to do mschap2 authentication somehow without winbind?
NOTE: I have radiusd 1.01 as currently obtainable from the Fedora Core 3 repositories.
Thanks!
--
Thomas Boutell
Boutell.Com, Inc. http://www.boutell.com/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html