Default radiusd.conf and Auth-Type LDAP comment
Alan DeKok
aland at deployingradius.com
Thu Sep 21 23:02:01 CEST 2006
Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
> * the inner PAP authentication is "processed" by the ldap module in
> which I don't need to define which password hashing method is used (I
> use at least CRYPT _and_ MD5 in the same directory for historical
> reasons)
Version 2.0 has fixes that make it much easier to handle multiple
hashing types in the same LDAP database.
> * I don't need to have freeradius _read_ the passwords from the
> directory: the DN identity defined in the ldap module can only have
> auth and read access to radius entries but not to the passwords (which
> in my point of view is more secure)
If all you're doing is PAP, sure. Most wireless deployments use
PEAP, and then people wonder why "bind as user" doesn't work. It's
frustrating.
> Again, I might not have caught your meaning: Are you saying that in the
> future the standards ldap module will be only an authorization module,
> and that a new ldap_bind module could be used in the authenticate
> section ?
I think it's a good idea.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list