Hi Larry,
I am doing this same thing...
I've modified the PAP and LDAP sections, in
/etc/raddb/sites-enabled/{default,inner-tunnel}, to do this and it works
well.
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
#pap
group{
pap{
reject = 1
ok = return
}
ntlm_auth{
reject = 1
ok = return
}
}
}
...
I do the same for Auth-Type LDAP.
Hope this helps.
Cheers,
Harry
On 02/08/2010 09:42 PM, Alan DeKok wrote:
Larry Ross wrote:
I am looking at configuring FR to Auth accounts across multiple account
directories. Basically I would like FR to take in PAP queries, attempt
Auth against krb, then if that comes back as a fail, try a secondary
Radius server (Eduroam…) or module (Shibboleth).
That's hard.
We are looking at this as we foresee collisions occurring between
accounts residing within other universities and our local guest accounts
(which use email address as the principal).
The simple answer is "don't have colliding usernames".
Use email addresses for logins, *especially* for roaming users from
other universities.
Having colliding usernames is very bad for a number of reasons.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
