Florin Andrei wrote:
To be more precise, authentication happens during the LDAP Bind request. Subsequent searches are irrelevant.
Can freeradius do the same? I.e., wait for a username / password request from a client, bind to the LDAP server using the supplied password (and passing the username with the DN line) and report success/failure to the Radius client based on the success/failure of the LDAP Bind transaction.
Yes. Please check out http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_FreeRADIUS Only difference in the config for you is that you will exclude following two lines identity = "uid=onex,cn=users,dc=cs,dc=school,dc=edu" password = "oursecret" ie. ldap ldap_1x { server = "ldap1.cs.school.edu" basedn = "dc=cs,dc=school,dc=edu" base_filter = "(objectclass=radiusprofile)" start_tls = yes # This is your Certificate Authority (CA) certificate tls_cacertfile = /etc/ldap/csca.crt tls_require_cert = "demand" access_attr = "radiusFilterId" dictionary_mapping = ${raddbdir}/ldap.attrmap authtype = ldap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } Hope this helps, Vladimir