W dniu 12.08.2013 21:36, Alan DeKok pisze:
Maja Wolniewicz wrote:
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module. That's what's supposed to happen when you use LDAP as a database.
I can't find a place in the FR3.0 source, where Auth-Type=LDAP is set - in a few comments it is mentioned that such a setting happens automatically. Am I missing something? Nope. You're supposed to let LDAP be a database, and FreeRADIUS be an authentication server. That solution works well but the really drawback is that userPassword attributes have to be readable by a user. Our freeradius server uses a few of LDAP databases (depending on the realm) and not all of them are under our control. These without our control offer only the EAP-TTLS authentication so there is no need to read a password attribute, only binding is allowed. I doubt we could convince administrators of these databases to open access to the userPassword attribute.
Maja
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Maja Gorecka-Wolniewicz mgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574