Hi Phil, Thanks for the pointers. I was attempting to use ntlm_auth to ensure the account actually existed for the authorization section. And then again in the authentication section to ensure the user name and password match.
Is there a better way to check for authorization against AD? Cheers, Harry On Wed, 2010-10-13 at 14:56 +0100, Phil Mayers wrote: > On 13/10/10 14:40, Harry Hoffman wrote: > > Hi Alan, > > > > Thanks for the help! This works well and lessens the confusion on my > > part. > > > > I do have one question. When using ldap as the authorization module the > > Auth-Type gets set properly to siteone_ldap. But if I try using > > That's a feature of the "ldap" module; if it is a "named" module it sets > the Auth-Type to that name (otherwise using "LDAP") > > > ntlm_auth then the Auth-Type is not set even though ntlm_auth returns > > OK. > > The (confusingly named) "ntlm_auth" module is actually a copy of the > "exec" module which checks PAP requests; it does not have that feature. > You are also using it wrong, by running it in the "authorize" section. > > You want something like: > > authorize { > if (Realm == ...) { > ldap_siteone > } > elsif (Realm == ...) { > update control { > Auth-Type := PAP-ntdom > } > } > } > > authenticate { > Auth-Type ldap_siteone { > ldap_siteone > } > Auth-Type PAP-ntdom { > ntlm_auth > } > } > > > I guess the other alternative is: > > authorize { > if (Realm == ...) { > ldap_siteone > } > elsif (Realm == ...) { > ntlm_auth > if (ok) { > update control { > Auth-Type := PAP-ntdom > } > } > } > } > > ...but maybe it's not really what you should be doing; "authenticate" > should happen after "authorize" > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html