Jason Frisvold wrote:
DEFAULT Auth-Type := Reject Fall-Through = 1
Huh? Why?
I *thought* this was required, but apparently not?
No. the server will automatically reject anyone who isn't authenticated. As a hint, the default config does *not* have that entry. So adding it is likely "unusual".
Do you really want to accept these users without checking their passwords? That's a *very* bad idea.
I agree. What am I missing? I thought the user passwords were checked by the ldap module via the authentication section. Is that not correct?
Yes, they can be. But you're telling the server to *not* check passwords. "Just accept the users... they're fine".
The group membership configurations should ensure that it's using the memberOf attribute.
Can you give me an example please? I'm not sure I understand...
See raddb/modules/ldap. Group checking is documented in the comments there.
Why are you not checking passwords? That's a bad idea...
I thought I was... Do I need more than this?
You need to use the *default* configuration files. Start with them. Configure LDAP, and un-comment the references to "ldap" from the various places in raddb/*. It should then work. Alan DeKok.