LDAP Config Clarification

Jason Frisvold xenophage0 at gmail.com
Wed Mar 18 16:03:58 CET 2009


Alan DeKok wrote:
>   No.  the server will automatically reject anyone who isn't authenticated.
> 
>   As a hint, the default config does *not* have that entry.  So adding
> it is likely "unusual".

You are, of course, correct...  :)  I believe we resolved this now,
however.  I removed the default reject and updated the ldap groups with
this :

DEFAULT Ldap-Group != "cn=vpn,ou=groups,o=myorg", Auth-Type := Reject

DEFAULT Ldap-Group == "cn=admin,ou=groups,o=myorg"
        Class = ADMIN,

DEFAULT Ldap-Group == "cn=user,ou=groups,o=myorg"
        Class = USER,

>   Yes, they can be.  But you're telling the server to *not* check
> passwords.  "Just accept the users... they're fine".

I understand this now...  What I have now appears to be working
properly.  We tested all cases (with/without vpn group, good/bad password)

>   See raddb/modules/ldap.  Group checking is documented in the comments
> there.

Will do.  Thanks a ton for the help...

>   Alan DeKok.

-- 
---------------------------
Jason Frisvold
xenophage0 at gmail.com
---------------------------
"I love deadlines. I like the whooshing sound they make as they fly by."
   - Douglas Adams



More information about the Freeradius-Users mailing list