LDAP Config Clarification

Jason Frisvold xenophage0 at gmail.com
Tue Mar 17 16:00:51 CET 2009


On Mar 17, 2009, at 5:37 AM, Alan DeKok wrote:
>  Likely because the LDAP connections time out, and are closed.

>  Yes... that little traffic will result in LDAP connection timeouts.

Hrm...    Ok, I can accept that.  Is there a way to force a keepalive  
or something?

>> In our users file, we have the following :
>>
>> DEFAULT Auth-Type := Reject
>>        Fall-Through = 1
>
>  Huh?  Why?

I *thought* this was required, but apparently not?

>  Do you really want to accept these users without checking their
> passwords?  That's a *very* bad idea.

I agree.  What am I missing?  I thought the user passwords were  
checked by the ldap module via the authentication section.  Is that  
not correct?

>  The group membership configurations should ensure that it's using the
> memberOf attribute.

Can you give me an example please?  I'm not sure I understand...

>  Why are you not checking passwords?  That's a bad idea...

I thought I was...  Do I need more than this?

authenticate {
   Auth-Type LDAP {
      ldap
   }
}

>  If you don't use a module, you can delete all references to it.  It
> will make some *minor* difference in performance.  But if you're  
> getting
> a few requests a minute, that difference will be miniscule.

It's more of a "don't use it if you don't need it" philosophy,  
really..  Cleans up debug output too, when I'm trying to figure out  
what's going on ..

>  Alan DeKok.

Thanks for the help!

-- 
Jason 'XenoPhage' Frisvold
XenoPhage0 at gmail.com
http://blog.godshell.com




More information about the Freeradius-Users mailing list