rlm_ldap + bind as user authentication
Hi, I'm trying to use FreeRADIUS with an LDAP oracle (to be precise, an OpenLDAP instance that uses SASL authentication). From what I understand, this should happen with a single-user bind to the OpenLDAP server... Since it's supposed to use a bind, I'm not retrieving the password, which at this point explains the 'no Auth-Type found'. Since Arran mentioned a while ago that binding with LDAP is a lot easier these days, is it correct that I use the following in my authorize section (after PAP): update control { # Only set the Auth-Type if it hasn't been set Auth-Type = LDAP } And then in the 'authenticate' section I use the below to enable binding? Auth-Type LDAP { Ldap } If that's all (plus the user search in .../mods-available/ldap), that's grand :-) Arran, can you confirm? Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Oh, and I just realised... If I'm using EAP-GTC as the inner type in an EAP conversation, I only need to replace the 'pap' in Auth-Type PAP (in the authenticate section) with 'ldap' and it binds ok. But - Is that the recommended way of doing it? With Regards Stefan From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Stefan Paetow Sent: 17 July 2014 17:37 To: FreeRadius users mailing list Subject: rlm_ldap + bind as user authentication Hi, I'm trying to use FreeRADIUS with an LDAP oracle (to be precise, an OpenLDAP instance that uses SASL authentication). From what I understand, this should happen with a single-user bind to the OpenLDAP server... Since it's supposed to use a bind, I'm not retrieving the password, which at this point explains the 'no Auth-Type found'. Since Arran mentioned a while ago that binding with LDAP is a lot easier these days, is it correct that I use the following in my authorize section (after PAP): update control { # Only set the Auth-Type if it hasn't been set Auth-Type = LDAP } And then in the 'authenticate' section I use the below to enable binding? Auth-Type LDAP { Ldap } If that's all (plus the user search in .../mods-available/ldap), that's grand :-) Arran, can you confirm? Stefan Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
On 17 Jul 2014, at 12:48, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
Oh, and I just realised… If I’m using EAP-GTC as the inner type in an EAP conversation, I only need to replace the ‘pap’ in Auth-Type PAP (in the authenticate section) with ‘ldap’ and it binds ok.
But – Is that the recommended way of doing it?
What I didn't realise before was deep in the darkest murkiest depths of the server core, is some logic which auto creates the auth types for modules listed in authenticate. so if you do authorize { if (User-Password) { update control { Auth-Type := ldap } } } authenticate { ldap } Should work fine. If you're doing EAP then this will need to be in the inner tunnel, with EAP listed before the if statement (or at leas that's the most efficient way). -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thank you Arran :-) I'll update the Wiki page at some point (next week) with this information :-) Stefan ________________________________________ From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Arran Cudbard-Bell [a.cudbardb@freeradius.org] Sent: 17 July 2014 18:51 To: FreeRadius users mailing list Subject: Re: rlm_ldap + bind as user authentication On 17 Jul 2014, at 12:48, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
Oh, and I just realised… If I’m using EAP-GTC as the inner type in an EAP conversation, I only need to replace the ‘pap’ in Auth-Type PAP (in the authenticate section) with ‘ldap’ and it binds ok.
But – Is that the recommended way of doing it?
What I didn't realise before was deep in the darkest murkiest depths of the server core, is some logic which auto creates the auth types for modules listed in authenticate. so if you do authorize { if (User-Password) { update control { Auth-Type := ldap } } } authenticate { ldap } Should work fine. If you're doing EAP then this will need to be in the inner tunnel, with EAP listed before the if statement (or at leas that's the most efficient way). -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2 Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
participants (2)
-
Arran Cudbard-Bell -
Stefan Paetow