Re: Please help ! newbie question

[aland]

Basavaraj Bendigeri [EMAIL PROTECTED] wrote:
 The 'users' file is just one authorization method out of many.  You
   allowed LDAP to be used, so when you disallowed the users file, LDAP
   was still permitted, and therefore it was used.
 
 Actually I was under the impression , that the user will be first 
 checked against the users file and if the authorization was successful 
 would then be handed over to LDAP . Isn't that how it is done ?

  If you tell it to do that, yes.  If you tell it NOT to use the
'users' file, then my original comment is correct.

 I have one more question . This is regarding huntgroups . I assume 
 huntgroups is for restricting users to certain groups , right ? 

  No.  Read the comments at the top of the huntgroups file.

 My question here is can I use the huntgroups file in the scenario 
 wherein I am using LDAP as the authorization and authentication backend 
 for radius and at the same time implement the above requirement .

  That may be possible.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Please help ! newbie question

[aland]

Basavaraj Bendigeri [EMAIL PROTECTED] wrote:
 My users file contains the directives :
 
 DEFAULT Auth-Type := LDAP
  Fall-Through = 1
 
 DEFAULT Auth-Type := System
  Fall-Through = 1

  Why?  You're setting the Auth-Type to LDAP, and then immediatley
throwing that away, and setting it to System.  That makes no sense.

 However , I commented all the entries in the users file and tested the 
 radius server with a different username ,using the following command
 
 radtest guest hello123 localhost 10 testing123
 
 and it works fine too !!!
 
 NOTE : The user guest has a DN entry in the ldap directory .

  Yes, your debug log shows:

 modcall: group authorize returns ok
rad_check_password:  Found Auth-Type LDAP

  So something is setting Auth-Type to LDAP.  That's why the user is
being authenticated against the LDAP directory.

 The module files returns not found since there is no entry in the
 users file still the authorization is done with ldap . I was under
 the impression that if a user-name is not present in the users file
 then the user should be denied access OR am I doing something wrong
 here .

  The 'users' file is just one authorization method out of many.  You
allowed LDAP to be used, so when you disallowed the users file, LDAP
was still permitted, and therefore it was used.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html