rlm_ldap behavior: authorize v.s. authenticate

Brian A. Seklecki lavalamp at spiritual-machines.org
Fri Dec 9 21:55:51 CET 2005


On Fri, 9 Dec 2005, Dusty Doris wrote:

>>> From reading debug logs, am I correct in concluding that rlm_ldap's

>> Correct, as the default behavior?
>
> Sounds right to me.

I have to ask then:

If on the authorization stage, the module can read (and cache) the entire 
DN's attribute set (actually, any DN in the LDAP), why does it need to use 
a "re-connect as the user" method for authentication?  If the password in 
cleartext, comparison is easy.  If it's in SSHA/SHA/MD5/blowfish/crypt, 
then the comparison can happen against those algorithms.

~BAS

>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list