Martin Whinnery wrote: > Markus Krause wrote: > >> Zitat von Martin Whinnery <[EMAIL PROTECTED]>: >> >> >> >>> Hi. >>> >>> Probly just me not understanding... >>> >>> What I want is for our switches to only allow access to MAC addresses in >>> our LDAP database. >>> >>> I don't want to store passwords on our LDAP host entries. >>> >>> I'm set up to check LDAP during authorisation, and it correctly returns >>> authorised / not authorised depending on whether the appropriate >>> attribute contains the right value. >>> >>> The trouble comes with authentication - either I set Auth-Type := >>> Accept, in which case and failed authorisation is overridden, or I allow >>> authentication to carry on against LDAP ( or System, or whatever ), in >>> which case it fails always and access is denied, even for authorised MACs. >>> >>> Is there a way to make the Authorisation part final and authoritative? >>> >>> >>> As I say, probly just being stoopid. >>> >>> >>> Mart >>> >>> >>> >>> >> don't no if it is a good solution, but i just do this by setting the >> following in radiusd.conf: >> >> authenticate { >> ... >> Auth-Type LdapMAC { >> ok >> } >> ... >> } >> >> the Auth-Type is set in users file depending on huntgroups: >> >> DEFAULT Huntgroup-Name == switch, Autz-Type := LdapMAC, Auth-Type := LdapMAC >> >> i assume there are better/smarter sollutions as one can read "don't >> set Auth-Type" on many places but it works here ;-) >> >> regards >> markus >> >> >> > Thanks Markus, > > the problem seems to be that the authorisation pass returns "notfound", > whereas I want it to "reject", as if it found an entry in LDAP without > the appropriate attribute. > > Mart > > This was exactly the problem. What I've done is created an exec module, which checks for 'not found' in MODULE_FAILURE_MESSAGE, returning non-zero if there's a match. So authorization *fails* rather than succeeds with 'not found'.
I think. Anyway, it works. Thanks for all your help. Mart -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html