Re: Authorization via LDAP Authentication via PAM
On Wed, 29 May 2002, Michael Fuller wrote: Hi all, I am trying to get both authentication and authorisation through LDAP. While authentication works, authorisation still evades me. Ideas anybody ? Regards, Michael Fuller authorize{ files ldap } What is the problem you are facing? Send debugging logs showing where your problem is. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP Authentication via PAM
On Tue, 28 May 2002, Allister Maguire wrote: Hello, I have got this working by setting: DEFAULT Auth-Type := pam Fall-Through = 1 In the users file. I also want to restrict dialin access to certain ldap users, so I changed the ldap filter: filter = ((uid=%u)(msNPAllowDialin=TRUE)) In the ldap {} module. Only problem is if I set msNPAllowDialin=FALSE, they still get a Access-Accept because the files, pam module return ok (I think). You could also use the access_attr configuration directive. Then the module will return reject (well actually userlock) instead of notfound. modcall[authorize]: module ldap returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type pam auth: type Pam modcall: entering group authenticate pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: authentication succeeded for ssaint modcall[authenticate]: module pam returns ok modcall: group authenticate returns ok Sending Access-Accept of id 1 to 127.0.0.1:32826 Finished request 1 Going to the next request Thread 2 waiting to be assigned a request How many need to fail, for the Access-Request to fail? Check out the doc/configurable_failover. You could do something like this in your authorize section: authorize{ ldap{ notfound = return } [...] } Hope it helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP Authentication via PAM
Hi all, I am trying to get both authentication and authorisation through LDAP. While authentication works, authorisation still evades me. Ideas anybody ? Regards, Michael Fuller - Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 28, 2002 5:14 PM Subject: Re: Authorization via LDAP Authentication via PAM On Tue, 28 May 2002, Allister Maguire wrote: Hello, I have got this working by setting: DEFAULT Auth-Type := pam Fall-Through = 1 In the users file. I also want to restrict dialin access to certain ldap users, so I changed the ldap filter: filter = ((uid=%u)(msNPAllowDialin=TRUE)) In the ldap {} module. Only problem is if I set msNPAllowDialin=FALSE, they still get a Access-Accept because the files, pam module return ok (I think). You could also use the access_attr configuration directive. Then the module will return reject (well actually userlock) instead of notfound. modcall[authorize]: module ldap returns notfound modcall: group authorize returns ok rad_check_password: Found Auth-Type pam auth: type Pam modcall: entering group authenticate pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: authentication succeeded for ssaint modcall[authenticate]: module pam returns ok modcall: group authenticate returns ok Sending Access-Accept of id 1 to 127.0.0.1:32826 Finished request 1 Going to the next request Thread 2 waiting to be assigned a request How many need to fail, for the Access-Request to fail? Check out the doc/configurable_failover. You could do something like this in your authorize section: authorize{ ldap{ notfound = return } [...] } Hope it helps -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html