"Alan DeKok" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Markus Moeller wrote:
I am new to freeradius and try to authenticate users with pam and
authorize
with ldap groups. I try to find a minimal configuration but have some
problems forcing the Auth-Type to be PAM.
You are aware that this will make EAP and many other authentication
methods impossible?
That is not my requirement right now
...
authorize {
auth_log
ldap
}
You can add the following just after ldap:
update control {
Auth-Type := PAM
}
Only if I set set_auth_type = yes in radiusd.conf for ldap and change
authorize in default to:
Auth-Type LDAP {
pam
}
That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value and therefore can
not authenticate.
Please don't do that.
Is there also a way to disable the use of the ldap.attribute mapping as I
really don't need it ?
You'll have to edit the source code.
I have changed my setup to use files and a users file together with a
"private" radius attribute mapped to an ldap entry. e.g.
dictionary has:
Attribute user-location 3000 string
ldap.attrmap:
checkitem user-location office-address
in users I have
DEFAULT user-location == "LDN", Auth-Type := Reject
Reply-message = "You are not allowed to login"
DEFAULT AUTH-Type := PAM
in site-enabled/default I have
Authorize {
ldap
files
}
authenticate {
pam
}
Unfortunatly that does not work as I never hit the first default statement
in users despite having a user-location of LDN. What do I do wrong here ?
How can I use an ldap query result to deny/allow access ?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you
Markus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html