On Fri, Mar 09, 2012 at 10:59:46AM -0500, u...@3.am wrote:
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
authenticate {
#Auth-Type LDAP {
redundant LDAP{
ldap1
ldap2
}
I think that's (very) wrong.
I would need to check this, but I *think* you want something like this:
authorize {
...
redundant {
ldap1
ldap2
}
...
}
authenticate {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldap2 {
ldap2
}
}
..and:
ldap ldap1 {
...
set_auth_type = yes
}
ldap ldap2 {
...
set_auth_type = yes
}
Did you read a doc telling you to do it the way you did?
Using "ldap" in the authenticate section is a bit tricky, and you'd be
wise to avoid it if you can - if the LDAP server will "give" you the
password (plaintext or crypted) you're better of doing that in
"authorize" and letting FreeRADIUS perform the auth using rlm_pap or
whatever.
Very briefly, here's how it works:
IF
"set_auth_type = yes" on the module
AND
there is an "Auth-Type modname" in the "authenticate" section
AND
Auth-Type is not already set
AND
the request is PAP i.e. has User-Password
AND
the ldap module did NOT put a password hash into the control items
THEN
the ldap module will set Auth-Type==modname and authentication will
come "back to itself" in authenticate {}
The reasons it works that way are complex, and in an ideal world the
ldap module would be a lot simpler, but it's got a lot of backwards
compatibility code in it, and LDAP and RADIUS have a pretty bad
impedance mistmatch when used this way (LDAP as an oracle).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
