Thomas Boutell <[EMAIL PROTECTED]> wrote: > My goal, ultimately, is to try to authorize users in both a local Samba PDC > (with an LDAP back end) and in another NT domain, WITHOUT forcing > the use of a domain name in the user name. For various reasons we (or > our readers) need to have two separate domains on the back end, but are > trying to move away from forcing users to be aware of them. When people dial > into the VPN we want them to be able to authorize with just their username > and their password, no domain name. > > (Yes, of course, we're aware of the possibility of name conflicts.)
i.e. check in one domain, and if that fails, use another. > Now users are coming in with mschap2, so we pretty much need to use winbind > and/or radius proxies for authenticating users in either domain. And > we can do it -- for one or the other but not both. We have no trouble > authenticating users on the Samba PDC with ldap-plus-winbind and > we have no trouble authenticating users on the Windows domain > with an IAS radius proxy. But we can't do both. A "user does not exist" > response from either ends the whole ballgame. Pretty much. > But today I read this message from Alan DeKok: > > http://lists.cistron.nl/pipermail/freeradius-users/2004-April/030193.html > > Which says you can't proxy twice. And it sounds like you can't even > try proxy when local gives a particular response or vice versa. You can, but it's not generally recommended. > I have three questions: > > 1. Is this still the state of affairs? configurable_failover > makes it possible to try a different LOCAL method (for instance, > ldap after winbind) when the first method responds that the > user does not exist (not the same thing as failing), but > you can't do that with proxies? Pretty much. There are ways of getting around it, but some involve minor source code hacks. You can always have a shell script do the authentication for you. It can run ntlm_auth, and if that returns "notfound", it can then run "radclient" to send the request to another RADIUS server. It's ugly, but it will work. > 2. Is this true even if the two methods I want to try are > a proxy and a local method? Is it still true if I don't mind > trying the local method first? I had hoped that might do the > job, but no luck so far. The server treats proxying as "special". That may not have been the best choice. In the future, we may want to have an "rlm_proxy" module for authentication, in which case configurable failover will just work for proxying. > 3. If I'm stuck on both counts, can the "ldap" authentication > module be convinced to do mschap2 authentication somehow without > winbind? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
