Thanks, Alan. It works. sites-available/default: ("%{ldap:ldap://localhost:389/?uid?sub?(uid=%{User-Name})}") { accept } else { reject } Question 1: How can I utilize the LDAP settings defined in mods-enabled/ldap instead of hardcoding the LDAP connection here? Question 2: How can I implement load balancing across multiple LDAP servers to distribute the authentication load? Thank you.
On 10 Jul 2024, at 8:10 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 10, 2024, at 6:04 AM, Kong Kai Chen via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
In steel belted radius (SBR), we can setup sbr to do a simple bind to ldap database. In such as setup, sbr will omit password checking. If the bind is successful (meaning username is found in ldap) then reply accept being sent back to radius client. When I try to do this in freeradius, it passes the authentication process to ldap and insists on checking the password. How can I disable the password checking in freeRadius?
You don't "disable" password checking. You just write an LDAP query which checks if the user exists.
The normal ldap processing in FreeRADIUS does username / password checking. So if you want to skip the password checks, then don't use the normal LDAP processing.
The documentation contains examples of how to write LDAP queries. The exact content depend on your local LDAP database and scheme. But something like this should work:
authorize { ...
if ("%{ldap: .... ldap query with %{User-Name} .. }") { accept } ... }
i.e. "if the query to find a user by name exists, then accept the user".
Alan DeKok.