Re: Default radiusd.conf and Auth-Type LDAP comment



Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:

* the inner PAP authentication is "processed" by the ldap module in
which I don't need to define which password hashing method is used (I
use at least CRYPT _and_ MD5 in the same directory for historical
reasons)


 Version 2.0 has fixes that make it much easier to handle multiple
hashing types in the same LDAP database.
Yes, I remember having read something about this in the list... I'm longing to test this release ;-) 


* I don't need to have freeradius _read_ the passwords from the
directory: the DN identity defined in the ldap module can only have
auth and read access to radius entries but not to the passwords (which
in my point of view is more secure)


 If all you're doing is PAP, sure.  Most wireless deployments use
PEAP, and then people wonder why "bind as user" doesn't work.  It's
frustrating.
I understand (It's true that this list is nearly 30% about this kind of issue despite the faqs on this) :-( 


Again, I might not have caught your meaning: Are you saying that in the
future the standards ldap module will be only an authorization module,
and that a new ldap_bind module could be used in the authenticate
section ?


 I think it's a good idea.
Why not indeed ... (as long as there's a new ldap_bind module to replace the ldap 'authentication' part ;-) ). 

Thanks for this reply and for this great opensource project.

Regards,
Thibault
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.