Description of situation first, freeradius question at the end: I am doing plain user/pass authentication against an LDAP server using ldapsearch: $ ldapsearch -H ldap://XXXXXXXX -b 'o=XXXXXXXXXXXXX,c=us' -D 'uid=XXXXX,o=XXXXXXXXXXXXXX,c=us' -x -W uid=XXXXX Enter LDAP Password: [snip] result: 0 Success [snip] The packet trace looks like this: #################################################### No. Time Source Destination Protocol Info 4 0.001468 somecomputer.somedomain.com someserver.somedomain.com LDAP MsgId=1 Bind Request, DN=uid=XXXXX,o=YYYYYYYYYY,c=us Frame 4 (123 bytes on wire, 123 bytes captured) Internet Protocol, Src Addr: somecomputer.somedomain.com (XXX.YYY.ZZZ.38), Dst Addr: someserver.somedomain.com (AAA.BBB.CCC.18) Lightweight Directory Access Protocol LDAP Message, Bind Request Message Id: 1 Message Type: Bind Request (0x00) Message Length: 50 Response In: 6 Version: 3 DN: uid=XXXXX,o=YYYYYYYYYY,c=us Auth Type: Simple (0x00) Password: 1234567890 No. Time Source Destination Protocol Info 6 0.067801 someserver.somedomain.com somecomputer.somedomain.com LDAP MsgId=1 Bind Result Frame 6 (96 bytes on wire, 96 bytes captured) Internet Protocol, Src Addr: someserver.somedomain.com (AAA.BBB.CCC.18), Dst Addr: somecomputer.somedomain.com (XXX.YYY.ZZZ.38) Lightweight Directory Access Protocol LDAP Message, Bind Result Message Id: 1 Message Type: Bind Result (0x01) Message Length: 23 Response To: 4 Time: 0.066333000 seconds Result Code: success (0x00) Matched DN: (null) Error Message: +0gg4KMBV5FZkjyC #################################################### I don't really care about any information that's returned, I only want to authenticate against LDAP. Can I configure freeradius to do the same? I tried a few configurations in radiusd.conf but everything seems to trigger a behaviour that's different from ldapsearch. LDAP is currently used to authenticate various things, and I'd like to point a Radius server to it to use the same user passwords. -- Florin Andrei http://florin.myip.org/
On Tue, 2005-07-12 at 13:25 -0700, Florin Andrei wrote:
I don't really care about any information that's returned, I only want to authenticate against LDAP.
To be more precise, authentication happens during the LDAP Bind request. Subsequent searches are irrelevant. Can freeradius do the same? I.e., wait for a username / password request from a client, bind to the LDAP server using the supplied password (and passing the username with the DN line) and report success/failure to the Radius client based on the success/failure of the LDAP Bind transaction. -- Florin Andrei http://florin.myip.org/
Florin Andrei wrote:
To be more precise, authentication happens during the LDAP Bind request. Subsequent searches are irrelevant.
Can freeradius do the same? I.e., wait for a username / password request from a client, bind to the LDAP server using the supplied password (and passing the username with the DN line) and report success/failure to the Radius client based on the success/failure of the LDAP Bind transaction.
Yes. Please check out http://vuksan.com/linux/dot1x/802-1x-LDAP.html#Set_up_FreeRADIUS Only difference in the config for you is that you will exclude following two lines identity = "uid=onex,cn=users,dc=cs,dc=school,dc=edu" password = "oursecret" ie. ldap ldap_1x { server = "ldap1.cs.school.edu" basedn = "dc=cs,dc=school,dc=edu" base_filter = "(objectclass=radiusprofile)" start_tls = yes # This is your Certificate Authority (CA) certificate tls_cacertfile = /etc/ldap/csca.crt tls_require_cert = "demand" access_attr = "radiusFilterId" dictionary_mapping = ${raddbdir}/ldap.attrmap authtype = ldap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } Hope this helps, Vladimir
Florin Andrei <florin@andrei.myip.org> wrote:
Can freeradius do the same? I.e., wait for a username / password request from a client, bind to the LDAP server using the supplied password (and passing the username with the DN line) and report success/failure to the Radius client based on the success/failure of the LDAP Bind transaction.
Yes. Alan DeKok.
participants (3)
-
Alan DeKok -
Florin Andrei -
Vladimir Vuksan