On Tue, Sep 19, 2017 at 2:15 PM, Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
"Fajar A. Nugraha" <list@fajar.net> writes:
On Thu, Aug 31, 2017 at 4:44 PM, Olivier <Olivier.Nicole@cs.ait.ac.th> wrote:
The first in in ldap module. In version 2, I did not define an identity nor a password and the binding to ldap server is made with the user name and password, effectively using ldap to authenticate the user.
With the version3, I see:
Aug 31 16:30:32 ldap slapd[550]: conn=60904 fd=107 ACCEPT from IP= 192.41.170.3:37996 (IP=192.41.170.6:636) Aug 31 16:30:32 ldap slapd[550]: conn=60904 fd=107 TLS established tls_ssf=256 ssf=256 Aug 31 16:30:32 ldap slapd[550]: conn=60904 op=0 BIND dn="" method=128
where an anonymous bind is attempted (dn=""). I am not sure what has change in this regard between version 2 and 3, but I really need to replicate the same mechanism as in version 2, that is bind with the user name instead of going with some administrator account that would search in the ldap directory.
So you only want ldap for authentication, not authorization? Try https://wiki.freeradius.org/modules/Rlm_ldap#userdn-attribute
I need only authentication, but the authentication should be done inside LDAP, with a binding using the User-Name that is provided to FreeRadius
... which, to the best of my knowledge, the link pretty tells you how you can achieve that.
but what LDAP tells me is that I am binding with no username.
Because it needs to fill Ldap-UserDN attribute. Did you read the link? Did you follow what it says to 'avoid the ldap search completely'? -- Fajar