Thanks for the reply. On 3/21/06, Natalia Escalera <nescalera@gmail.com> wrote:
It is my understanding that Freeradius uses Ldap search in order to authenticate users and that the Ldap bind is used to point to the location where the search will be done at the Ldap server.
Well, I'll quote from doc/rlm_ldap: : When rlm_ldap has found the DN corresponding to the username provided in the : access-request (all this happens in the authorize section) it will add an : Ldap-UserDN attribute in the check items list containing that DN. The attribute : will be searched for in the authenticate section and if present will be used for : authentication (ldap bind with the user DN/password). Otherwise a search will : be performed to find the user dn. If the administrator wishes to use rlm_ldap : only for authentication or does not wish to populate the identity,password : configuration attributes he can set this attribute by other means and avoid the : ldap search completely. For instance it can be set through the users file in the : authorize section: : : DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com` So, my understanding is that: 1. For authentication, Ldap-UserDn must be filled. If bind with that DN succeeds, authentication succeeds. 2. Ldap-UserDn can be filled in authorization phase, either via ldap search, or in users file (like in the document above). In the source file rlm_ldap.c, in the function ldap_authenticate(), if pairfind(request->packet->vps, PW_LDAP_USERDN) returns non-NULL, FR does no search and try ldap_connect with the DN found. If ldap_connect succeeeds, ldap_authenticate returns ok. (vps means `value pairs' that represents list of variable-value pairs, I guess.) If pairfind() returns NULL, FR invokes perform_search() using DN, password, and filter given in radiusd.conf, and search for user DN. So far, so good. What I don't understand is that why Ldap-UserDn I wrote in users file is not passed to ldap_authenticate() (i.e. why pairfind() returns NULL).
rlm_ldap: object not found or got ambiguous search result Check your basedn in raddiusd.conf
Thanks, but I think the error is because FR binds anonymously. (And I don't want to allow anonymous search for LDAP directory). --maeda