2022-09-01 17:35:22 +02:00
|
|
|
{{ ansible_managed | comment }}
|
|
|
|
|
2023-06-25 00:27:08 +02:00
|
|
|
server inner-aurore {
|
2022-09-01 17:35:22 +02:00
|
|
|
|
|
|
|
authorize {
|
2023-06-25 19:25:50 +02:00
|
|
|
linelog_inner_authz_user
|
|
|
|
filter_username
|
|
|
|
filter_inner_identity
|
|
|
|
split_username_nai
|
2022-09-01 17:35:22 +02:00
|
|
|
# Don't proxy requests from inner tunnel
|
|
|
|
update control {
|
|
|
|
&Proxy-To-Realm := LOCAL
|
|
|
|
}
|
|
|
|
# Must be before 'ldap', so that we don't query the LDAP server
|
|
|
|
# for "internal" packets (cf. documentation for
|
2023-06-25 19:25:50 +02:00
|
|
|
# sites-available/inner-tunnel)
|
2022-09-01 17:35:22 +02:00
|
|
|
inner-eap {
|
|
|
|
ok = return
|
|
|
|
}
|
|
|
|
ldap
|
|
|
|
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
|
|
|
if ((ok || updated) && User-Password) {
|
|
|
|
update control {
|
|
|
|
Auth-Type := ldap
|
|
|
|
}
|
|
|
|
}
|
|
|
|
pap
|
|
|
|
}
|
|
|
|
|
|
|
|
authenticate {
|
|
|
|
inner-eap
|
|
|
|
# Authenticate using 'Auth-Type = LDAP'
|
|
|
|
# This is not recommended by FreeRADIUS (cf. documentation for
|
2023-06-25 19:25:50 +02:00
|
|
|
# sites-available/default), but the password hashing scheme used
|
|
|
|
# by 389DS is not yet supported by FreeRADIUS 3
|
2022-09-01 17:35:22 +02:00
|
|
|
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
|
|
|
|
ldap
|
|
|
|
}
|
|
|
|
|
2023-06-25 00:27:08 +02:00
|
|
|
post-auth {
|
2023-06-25 19:25:50 +02:00
|
|
|
linelog_inner_postauth
|
|
|
|
Post-Auth-Type reject {
|
|
|
|
linelog_inner_postauth
|
2023-06-25 00:27:08 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-01 17:35:22 +02:00
|
|
|
}
|