LDAP Authentication bind as user issue

Michael Holstein michael.holstein at csuohio.edu
Fri Sep 9 17:29:49 CEST 2011


> This way it binds anonymously, and then fails to do an ldapsearch because of
> insufficient privs. Giving * read to all seems silly, and I would rather not
> go that route.
>
> If anyone has suggestions or comments they would be greatly appreciated.
>   

How I did it (assuming your using AD as the backend) .. is just create a
user account to bind with to do the search (to locate the DN). It does
not need to be an admin user, unless you have torqued down the
permissions inside AD. This allows bind as the defined user (to search
for the DN of the striped-user-name) and then rebind as that DN.

ldap {
        server = "mydc.foocorp.com"
        identity = "CN=LDAP Account,OU=whatever,OU=Domain
Users,DC=foocorp,DC=com"
        password = imnotgoingtotellyou
        basedn = "dc=foocorp,dc=com"
        filter = 
"(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
        ..
       }

Cheers,

Michael Holstein
Cleveland State University



More information about the Freeradius-Users mailing list