LDAP Config Clarification

Alan DeKok aland at deployingradius.com
Wed Mar 18 13:11:15 CET 2009


Jason Frisvold wrote:
>>> DEFAULT Auth-Type := Reject
>>>        Fall-Through = 1
>>
>>  Huh?  Why?
> 
> I *thought* this was required, but apparently not?

  No.  the server will automatically reject anyone who isn't authenticated.

  As a hint, the default config does *not* have that entry.  So adding
it is likely "unusual".

>>  Do you really want to accept these users without checking their
>> passwords?  That's a *very* bad idea.
> 
> I agree.  What am I missing?  I thought the user passwords were checked
> by the ldap module via the authentication section.  Is that not correct?

  Yes, they can be.  But you're telling the server to *not* check
passwords.  "Just accept the users... they're fine".

>>  The group membership configurations should ensure that it's using the
>> memberOf attribute.
> 
> Can you give me an example please?  I'm not sure I understand...

  See raddb/modules/ldap.  Group checking is documented in the comments
there.

>>  Why are you not checking passwords?  That's a bad idea...
> 
> I thought I was...  Do I need more than this?

  You need to use the *default* configuration files.  Start with them.
Configure LDAP, and un-comment the references to "ldap" from the various
places in raddb/*.  It should then work.

  Alan DeKok.



More information about the Freeradius-Users mailing list