Authenticating groups via LDAP

Alan DeKok aland at deployingradius.com
Sun May 23 20:24:59 CEST 2010


John Maher wrote:
> Yes, obviously an important distinction.  But where my mind goes
> immediately is "why is it that if I enter an incorrect password for that
> user that the user fails to gain access, but a correct password results
> in access granted?".

  doc/rlm_ldap explains this.

>  But I imagine the answer is more complicated than
> the difference between authentication and authorization, and probably
> has something to do with some other authentication routine that takes
> place later.  I have a lot to learn.

  No... it's a historial leftover from ISP authentication.  It's not
clear, but it does serve a purpose.

> Thanks for the direction.  I'll study those now.

  Remember: DNS (bind) reads config files.  DHCP (ISC) reads config
files.  FreeRADIUS reads config files, LDAP, SQL, DBM, shell scripts,
Perl, Python, Java, Ruby, and implements EAP, WiMAX, IP address
assignment (i.e. most of DHCP), name lookups (i.e. most of DNS) ...

  It's not surprising that people find it complicated.  But a basic
step-by-step approach helps a *lot*.

  Alan DeKok.



More information about the Freeradius-Users mailing list