rlm_ldap behavior: authorize v.s. authenticate
Alan DeKok
aland at ox.org
Fri Dec 9 23:11:20 CET 2005
"Brian A. Seklecki" <lavalamp at spiritual-machines.org> wrote:
> If on the authorization stage, the module can read (and cache) the entire
> DN's attribute set (actually, any DN in the LDAP), why does it need to use
> a "re-connect as the user" method for authentication?
Because some LDAP servers don't supply the password.
Also, some administrators use LDAP only for authentication.
> If the password in cleartext, comparison is easy. If it's in
> SSHA/SHA/MD5/blowfish/crypt, then the comparison can happen against
> those algorithms.
Which is the default behavior of the server.
Alan DeKok.
More information about the Freeradius-Users
mailing list