On 05/23/2010 11:27 AM, Alan DeKok wrote:
authorization != authentication
If there isn't a password... the user can't be authenticated. The debug log shows this.
Yes, obviously an important distinction. But where my mind goes immediately is "why is it that if I enter an incorrect password for that user that the user fails to gain access, but a correct password results in access granted?". But I imagine the answer is more complicated than the difference between authentication and authorization, and probably has something to do with some other authentication routine that takes place later. I have a lot to learn.
Anyway, a good resource for understanding how radius and its modules do their jobs would be good to know about.
doc/rlm_ldap explains how the LDAP module is used, and how the "access" is checked.
Again... this *is* documented. The filenames shouldn't be hard to figure out: doc/rlm_ldap should be pretty easy to find.
doc/aaa.txt explains how the authentication process works.
While the documentation isn't perfect, I'm not sure what you want. The questions you're asking are answered in the existing documentation, which is reasonably well organized. (try: ls doc/*ldap* ...)
Thanks for the direction. I'll study those now. John
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html