55 lines
1.6 KiB
Django/Jinja
55 lines
1.6 KiB
Django/Jinja
{{ ansible_managed | comment }}
|
|
|
|
server inner-aurore {
|
|
|
|
authorize {
|
|
linelog_inner_authz_user
|
|
filter_username
|
|
filter_inner_identity
|
|
split_username_nai
|
|
# Don't proxy requests from inner tunnel
|
|
update control {
|
|
Proxy-To-Realm := LOCAL
|
|
}
|
|
# Must be before 'ldap', so that we don't query the LDAP server
|
|
# for "internal" packets (cf. documentation for
|
|
# sites-available/inner-tunnel)
|
|
eap_inner {
|
|
ok = return
|
|
}
|
|
ldap
|
|
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
|
|
if ((ok || updated) && &User-Password) {
|
|
update control {
|
|
Auth-Type := ldap
|
|
}
|
|
}
|
|
pap
|
|
}
|
|
|
|
authenticate {
|
|
eap_inner
|
|
# Authenticate using 'Auth-Type = LDAP'
|
|
# This is not recommended by FreeRADIUS (cf. documentation for
|
|
# sites-available/default), but the password hashing scheme used
|
|
# by 389DS is not yet supported by FreeRADIUS 3
|
|
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
|
|
ldap
|
|
}
|
|
|
|
post-auth {
|
|
if (&reply:Tunnel-Private-Group-ID) {
|
|
update outer.session-state {
|
|
Tunnel-Private-Group-ID := &reply:Tunnel-Private-Group-ID
|
|
}
|
|
}
|
|
linelog_inner_postauth
|
|
Post-Auth-Type reject {
|
|
update outer.session-state {
|
|
&Module-Failure-Message := &request:Module-Failure-Message
|
|
}
|
|
linelog_inner_postauth
|
|
}
|
|
}
|
|
|
|
}
|