Do you really want to accept these users without checking their passwords? That's a *very* bad idea.
I agree. What am I missing? I thought the user passwords were checked by the ldap module via the authentication section. Is that not correct?
Remove those entries in users file. They are bypassing password checking. If you want to accept only some ldap groups use unlang. Something like: if(Ldap-Group == something || Ldap-Group == something_else) { ok } else { update control { Auth-Type := Reject } }
The group membership configurations should ensure that it's using the memberOf attribute.
Can you give me an example please? I'm not sure I understand...
Example is the default group membership query in raddb/modules/ldap.
Why are you not checking passwords? That's a bad idea...
I thought I was... Do I need more than this?
authenticate { Auth-Type LDAP { ldap } }
Yes. Auth-Type LDAP needs to be set. If you force Auth-Type Accept in users file this will never be used. Ivan Kalik Kalik Informatika ISP