Porting ldap module configuration from 2.2.9 to 3.0.15

Olivier Olivier.Nicole at cs.ait.ac.th
Tue Sep 19 10:06:50 CEST 2017


"Fajar A. Nugraha" <list at fajar.net> writes:

> On Tue, Sep 19, 2017 at 2:15 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
> wrote:
>
>> "Fajar A. Nugraha" <list at fajar.net> writes:
>>
>> > On Thu, Aug 31, 2017 at 4:44 PM, Olivier <Olivier.Nicole at cs.ait.ac.th>
>> wrote:
>> >
>> >> The first in in ldap module. In version 2, I did not define an identity
>> >> nor a password and the binding to ldap server is made with the user name
>> >> and password, effectively using ldap to authenticate the user.
>> >
>> >
>> >> With the version3, I see:
>> >>
>> >> Aug 31 16:30:32 ldap slapd[550]: conn=60904 fd=107 ACCEPT from IP=
>> 192.41.170.3:37996 (IP=192.41.170.6:636)
>> >> Aug 31 16:30:32 ldap slapd[550]: conn=60904 fd=107 TLS established
>> tls_ssf=256 ssf=256
>> >> Aug 31 16:30:32 ldap slapd[550]: conn=60904 op=0 BIND dn="" method=128
>> >>
>> >> where an anonymous bind is attempted (dn=""). I am not sure what has
>> >> change in this regard between version 2 and 3, but I really need to
>> >> replicate the same mechanism as in version 2, that is bind with the user
>> >> name instead of going with some administrator account that would search
>> >> in the ldap directory.
>> >
>> >
>> > So you only want ldap for authentication, not authorization? Try
>> > https://wiki.freeradius.org/modules/Rlm_ldap#userdn-attribute
>>
>> I need only authentication, but the authentication should be done inside
>> LDAP, with a binding using the User-Name that is provided to FreeRadius
>>
>
> ... which, to the best of my knowledge, the link pretty tells you how you
> can achieve that.
>
>
>> but what LDAP tells me is that I am binding with no username.
>>
>>
> Because it needs to fill Ldap-UserDN attribute.
>
> Did you read the link? Did you follow what it says to 'avoid the ldap
> search completely'?

Yes I did and I added:

DEFAULT Ldap-UserDN := "uid=%{User-Name},ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"

in the file raddb/users. But it does not change the behaviour. Also, I
am wondering, because the top of the file users mention that
# Configuration file for the rlm_files module.

Thank you,

Olivier

-- 


More information about the Freeradius-Users mailing list