Re: Authorization via LDAP Authentication via PAM
On Wed, 29 May 2002, Michael Fuller wrote:
Hi all,
I am trying to get both authentication and authorisation through LDAP. While
authentication works, authorisation still evades me. Ideas anybody ?
Regards,
Michael Fuller
authorize{
files
ldap
}
What is the problem you are facing? Send debugging logs showing where your
problem is.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP Authentication via PAM
On Tue, 28 May 2002, Allister Maguire wrote:
Hello,
I have got this working by setting:
DEFAULT Auth-Type := pam
Fall-Through = 1
In the users file.
I also want to restrict dialin access to certain ldap users, so I
changed the ldap filter:
filter = ((uid=%u)(msNPAllowDialin=TRUE))
In the ldap {} module.
Only problem is if I set msNPAllowDialin=FALSE, they still get a
Access-Accept because the files, pam module return ok (I think).
You could also use the access_attr configuration directive. Then the module will
return reject (well actually userlock) instead of notfound.
modcall[authorize]: module ldap returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type pam
auth: type Pam
modcall: entering group authenticate
pam_pass: using pamauth string radiusd for pam.conf lookup
pam_pass: authentication succeeded for ssaint
modcall[authenticate]: module pam returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 1 to 127.0.0.1:32826
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
How many need to fail, for the Access-Request to fail?
Check out the doc/configurable_failover. You could do something like this in
your authorize section:
authorize{
ldap{
notfound = return
}
[...]
}
Hope it helps
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization via LDAP Authentication via PAM
Hi all,
I am trying to get both authentication and authorisation through LDAP. While
authentication works, authorisation still evades me. Ideas anybody ?
Regards,
Michael Fuller
- Original Message -
From: Kostas Kalevras [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 28, 2002 5:14 PM
Subject: Re: Authorization via LDAP Authentication via PAM
On Tue, 28 May 2002, Allister Maguire wrote:
Hello,
I have got this working by setting:
DEFAULT Auth-Type := pam
Fall-Through = 1
In the users file.
I also want to restrict dialin access to certain ldap users, so I
changed the ldap filter:
filter = ((uid=%u)(msNPAllowDialin=TRUE))
In the ldap {} module.
Only problem is if I set msNPAllowDialin=FALSE, they still get a
Access-Accept because the files, pam module return ok (I think).
You could also use the access_attr configuration directive. Then the
module will
return reject (well actually userlock) instead of notfound.
modcall[authorize]: module ldap returns notfound
modcall: group authorize returns ok
rad_check_password: Found Auth-Type pam
auth: type Pam
modcall: entering group authenticate
pam_pass: using pamauth string radiusd for pam.conf lookup
pam_pass: authentication succeeded for ssaint
modcall[authenticate]: module pam returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 1 to 127.0.0.1:32826
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
How many need to fail, for the Access-Request to fail?
Check out the doc/configurable_failover. You could do something like this
in
your authorize section:
authorize{
ldap{
notfound = return
}
[...]
}
Hope it helps
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
