How to configure non-priveleged LDAP bind in FreeRADIUS 3.0.11
Alan DeKok
aland at deployingradius.com
Mon Sep 5 15:31:08 CEST 2016
On Sep 5, 2016, at 9:24 AM, Bogdan Rudas via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I would like to configure LDAP authentication for WiFi users with OpenLDAP
> back-ends (passwords are hashed). To perform initial bind to LDAP database
> I use restricted account which can read directory tree, determine DN on
> user and most of it's attributes but can't read passwords hashes.
That's may work, if you configure it correctly.
> Then I
> expect FreeRadius to bind with DN found on previous step and user-supplied
> password.
Does the rlm_ldap module documentation say it does that?
> When I use admin user account (which can read password hashes) for initial
> bind, authentication test with *radtest *works well, but it is not what I
> want to do.
Why not?
> I want to keep my OpenLDAP password policy working, this requires true LDAP
> bind attempt with credential of end-user.
>
> My final destination is EAP-TTLS with PAP inside. Please, help me to
> establish desired LDAP authorization schema. As far as I know it was
> possible in FreeRadius 2.1.x and I believe some additional configuration
> required here.
You have to force Auth-Type LDAP.
authorize {
...
pap
if (noop && User-Password) {
update control {
Auth-Type := LDAP
}
}
}
Do this in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel. And also add "ldap" to the "authenticate" section for both virtual servers.
Alan DeKok.
More information about the Freeradius-Users
mailing list