26 Feb
2014
26 Feb
'14
4:50 a.m.
Quoth A.L.M.Buxey@lboro.ac.uk (26 Feb 2014, 10:41):
For security, the LDAP should not return attribute userPassword to
freeradius.
if the server doesnt get a password - if using LDAP as your source, then how is it supposed to authenticate the user?
LDAP authentication can be done either by performing an authenticated bind to the LDAP server - determine/lookup the relevant DN - supply the relevant credentials or by searching for the relevant LDAP object obtaining the relevant "password" attribute, and checking it. I would agree the former approach makes more sense. Directory services should not disclose user credentials (cf. shadow password files).