Hi guys,
I'm sure these are questions that have been asked a thousand times, but
can't for the life of me find the answers I'm looking for.
My first problem is this: I want to store reply attributes for my users in a
MySQL database, however I want them to authenticate against an LDAP server.
No p
On Thu, Apr 9, 2009 at 10:27 PM, Alan DeKok wrote:
>
> $ man unlang
>
>...
>ldap
>if (fail) {
>sql
>}
>...
>
Hi Alan,
Thanks for the reply. Since SQL modules can't go in authenticate, this would
have to be in authorize, yes? How then, woul
On Fri, Apr 10, 2009 at 7:32 PM, Alan DeKok wrote:
> Justin Steward wrote:
> > Thanks for the reply. Since SQL modules can't go in authenticate, this
> > would have to be in authorize, yes? How then, would I get the reply
> > attributes out of the SQL database? Or am I
On Fri, Apr 10, 2009 at 11:51 PM, Alan DeKok wrote:
> Justin Steward wrote:
> > I want to return some radius reply attributes from an SQL database,
> > check the user's password against an openLDAP server
>
> As I said... LDAP isn't an authentication protocol.
&g
ql_reply
> ldap
> if (notfound | fail) {
> sql_bkp_pass
> }
> ...
> }
>
>
Ah, thank you very much. I think I understand now. Will experiment with that
when I get back to work on Tuesday.
Many thanks,
Justin Steward
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, Apr 13, 2009 at 4:48 AM, Ivan Kalik wrote:
> > You've mentioned a few times that LDAP is not meant for
> authentication, however the default config that ships with FreeRADIUS has
> LDAP in
> > the authentication section. Could you clear that up a little for me
> please? (or point me to
Hi Guys,
I have an upcoming project where the setup is going to be something along
the following:
Client logs in using their username/password for domain
FreeRadius authenticates the user against the AD server for that domain
There will be clients using the service from MULTIPLE different AD doma
On Wed, Jul 22, 2009 at 11:22 AM, Alan DeKok wrote:
> However... they all need to be part of the same AD forest / whatever.
> You CANNOT authenticate to two completely independent AD systems. This
> is a fundamental limitation of AD.
>
>
That's more or less what I was expecting. That is what I
On Wed, Jul 22, 2009 at 10:15 PM, Alan DeKok wrote:
> Justin Steward wrote:
> > And with regard to my other question, can I just use plain ol' LDAP to
> > authenticate? A successful LDAP Bind is all I need for our purposes.
>
> That will work for PAP.
>
>
Ok,
and "must have 2
numbers" can be handled easily enough in form processing on some sort of
front end, however, is it possible have a radius password expire after a set
period of time, and then send back a specific message saying that the
password has expired? (ie one month?)
Many Than
On Mon, Sep 14, 2009 at 6:25 PM, Ivan Kalik wrote:
>
> Yes. The only problem is that most supplicants will ignore this message
> and never display it to the user.
>
>
That's not a problem as I'll be extending the client application to add in
the password policy mechanisms, I can force it to behav
Hi guys,
A couple of quick questions just to make sure I don't end up chasing my own
tail.
Need to authenticate by doing a basic bind against an AD server. All users
are contained in seperate OU's below a primary OU.
The relevant LDAP lines from radiusd -X are (with identifiable information
remo
On Tue, Sep 15, 2009 at 8:31 AM, Alan DeKok wrote:
> Then it has to go into a Reply-Message attribute.
>
> Unless you're doing EAP. In which case you have to extend the EAP
> authentication method to handle sending messages inside of EAP.
>
http://wiki.freeradius.org/Radiusd.conf
Has a short
On Tue, Sep 15, 2009 at 9:51 AM, Matthew Benjamin wrote:
>
>
> No, everytime I go to the website it tells me about database errors.
> Is there something wrong with the Freeradius wiki?
>
>
Just refresh the page a few times, and it'll sort itself out. I'm guessing
it's under a fairly heavy load or
>
>
> That's not a good way. It will work only for pap requests.
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
>
Good way or not, it's the only viable option for what I need to achieve, so
any help on what I asked for would be much appreciated.
Many Thanks,
Justin
On Tue, Sep 15, 2009 at 11:00 PM, Danner, Mearl wrote:
> The default LDAP search in freeradius is sub (search all subcontainers from
> supplied root DN).
>
Many thanks.
> As to using UID:
>
> You'll need to search sAMAccountName in AD to insure that the name is unique.
>
> I don't believe that u
On Tue, Sep 29, 2009 at 12:45 AM, Ryaz Khan wrote:
> I googled it lot but did not come to any comprehensive solution.
You'll probably learn this the hard way anyway, but don't try to
google for freeradius. Most of those hits will be outdated, even if it
is on the topic you're searching for.
1) S
way to force FR to make 1 or 2 attempts at retrying the
connection before giving up on LDAP?
The current situation is causing many headaches trying to log in, and
the client is reluctant to relax their firewall for a number of
reasons.
Many Thanks,
Justin Steward
-
List info/subscribe/unsubscribe?
headaches trying to log in, and
>> the client is reluctant to relax their firewall for a number of
>> reasons.
>
> They chose to destroy their own network. I'm not surprised
> they're hesitant to fix it.
I think the main problem is their firewall vendor thinks that&
h that would
enable keepalives?
Many Thanks,
Justin Steward
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please ignore previous email. Employer has decided best course of
action is to pass on as much info as possible, and let client fix
firewall.
On Mon, Mar 15, 2010 at 12:06 PM, Justin Steward wrote:
> On Wed, Mar 10, 2010 at 6:34 PM, Alan DeKok wrote:
>> Change the source code in
21 matches
Mail list logo
