Derrick Woo wrote:
The LDAP server we have set up is used to authenticate users based on their username and password. If I were to query from the (Linux) command line using ldapsearch, the query would appear as follows:
ldapsearch -x -h ldap.domain.com -b ou=ldap,o=domain.com -D uid=XXX,ou=it,o= domain.com -w 'YYY'
Where XXX is a person's username and YYY is their password. That means a person can only query their own information and not anyone elses (unless, of course, they have someone else's username and password).
From what I can see, it doesn't appear as though the %{User-Name} variable can be used within the "identity" setting in freeRADIUS 1.0.1. If that's correct, does it mean freeRadius won't be able to be used for this particular set up? If I hardcode a test username and password in the configuration as follows:
server = "ldap.domain.com" identity = "uid=XXX,ou=it,o=domain.com" password = 'YYY' basedn = "ou=ldap,o=domain.com"
it binds correctly. However, for our particular setup, both the username and password's used to bind to the server need to be variable at run time.
"identity" and "password" are the DN and password of a user representing the *server*, e.g. identity = "uid=freeRadiusServiceAccount,o=domain.com" ...the LDAP module first binds as identity, searches using the given "basedn" and "filter", then re-binds as the user, or returns access denied / not found. If you don't have a service account and allow anonymous binds (eek) just comment identity and password out.
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html