ansible/roles/freeradius/templates/sites-available/inner-aurore.j2
2023-06-25 00:27:08 +02:00

46 lines
1.3 KiB
Django/Jinja

{{ ansible_managed | comment }}
server inner-aurore {
authorize {
# Look for realm using the 'suffix' format (user@realm)
suffix
# Don't proxy requests from inner tunnel
update control {
&Proxy-To-Realm := LOCAL
}
# TODO: vérifier que le realm est soit vide, soit 'auro.re'
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
# sites-available/inner-tunnel)
inner-eap {
ok = return
}
ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
pap
}
authenticate {
inner-eap
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap
}
post-auth {
Post-Auth-Type REJECT {
log_auth_inner
}
log_auth_inner
}
}