ansible/roles/freeradius/templates/sites-available/inner-aurore.j2

47 lines
1.3 KiB
Django/Jinja

{{ ansible_managed | comment }}
server inner-aurore {
authorize {
linelog_inner_authz_user
filter_username
filter_inner_identity
split_username_nai
# Don't proxy requests from inner tunnel
update control {
&Proxy-To-Realm := LOCAL
}
# Must be before 'ldap', so that we don't query the LDAP server
# for "internal" packets (cf. documentation for
# sites-available/inner-tunnel)
inner-eap {
ok = return
}
ldap
# See https://github.com/FreeRADIUS/freeradius-server/blob/master/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc
if ((ok || updated) && User-Password) {
update control {
Auth-Type := ldap
}
}
pap
}
authenticate {
inner-eap
# Authenticate using 'Auth-Type = LDAP'
# This is not recommended by FreeRADIUS (cf. documentation for
# sites-available/default), but the password hashing scheme used
# by 389DS is not yet supported by FreeRADIUS 3
# (cf. https://github.com/FreeRADIUS/freeradius-server/issues/2649)
ldap
}
post-auth {
linelog_inner_postauth
Post-Auth-Type reject {
linelog_inner_postauth
}
}
}