Re: MAC authorisation (but not authentication) via LDAP

Zitat von Phil Mayers <p.mayers@imperial.ac.uk>:
> Markus Krause wrote:
>
>> i am not sure if your approach could really fullfill my needs (no
>> redundancy, serving different types of "requests") ... but i would
>> really like to know ;-)
>
> Hmm.
>
> Without more details it's difficult to say, but what you need does not
> sound excessively difficult. At most, Autz-Type should suffice. Why are
> you finding you need to set Auth-Type?
i thought this is necessary as i use redundant sections.
in users i have something like:

DEFAULT Huntgroup-Name == vpn, Autz-Type := LdapUser, Auth-Type := LdapUser

some parts of my radiusd.conf:
----- radiusd.conf parts
modules {
...
ldap LdapUser1 {
.... ldapserv1
}

ldap LdapUser2 {
.... ldapserv2
}
...
}

authorize {
...
Autz-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}

authenticate {
...
Auth-Type LdapUser {
redundant {
LdapUser1
LdapUser2
}
}
...
}
-----

it seems that if the authorization is successfully done by LdapUser1
the Auth-Type is set LdapUser1. if i do not set it to LdapUser in the
file users i get the error message "No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user". if i set
Auth-Type to LdapUser in users it works. it also works without setting
this if i do not use redundant settings (just call the module LdapUser).

> The ldap module can be peculiar in this regard - are you authenticating
> the users by doing simple bind, or are you extracting the passwords from
> ldap and using rlm_pap and such?
i am just authenticating by doing simple bind.

if i should post more details please let me know!

with best regards
markus


----------------------------------------------------------------------
This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html