LDAP Config Clarification

tnt at kalik.net tnt at kalik.net
Tue Mar 17 17:48:08 CET 2009


>>  Do you really want to accept these users without checking their
>> passwords?  That's a *very* bad idea.
>
>I agree.  What am I missing?  I thought the user passwords were
>checked by the ldap module via the authentication section.  Is that
>not correct?
>

Remove those entries in users file. They are bypassing password checking.
If you want to accept only some ldap groups use unlang. Something like:

if(Ldap-Group == something || Ldap-Group == something_else) {
     ok
}
else {
     update control {
          Auth-Type := Reject
     }
}

>>  The group membership configurations should ensure that it's using the
>> memberOf attribute.
>
>Can you give me an example please?  I'm not sure I understand...
>

Example is the default group membership query in raddb/modules/ldap.

>>  Why are you not checking passwords?  That's a bad idea...
>
>I thought I was...  Do I need more than this?
>
>authenticate {
>   Auth-Type LDAP {
>      ldap
>   }
>}

Yes. Auth-Type LDAP needs to be set. If you force Auth-Type Accept in
users file this will never be used.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list