[SOLVED] Re: LDAP bind user authentication
Then at the bottom of the authorize section, add this:
if (User-Password) { update control { Auth-Type := ldap } }
Finally, in the authenticate section, insert just 'ldap' at the top and change the Auth-Type PAP stanza from the default to the below (which allows you to use the LDAP bind with things like EAP-TTLS/EAP-GTC, which uses PAP):
Auth-Type PAP { # pap ldap }
This was exactly the thing that was missing. I didn't try this solution because it clearly says in the config files "Auth-Type = LDAP is almost always wrong". Is the section Auth-Type LDAP { ldap } now obsolete? Why is it there in the first place, since the comment above sounds to me pretty much like what i want.
If you use FreeRADIUS 3.0.x, this becomes a *LOT* easier and straight-forward. The FreeRADIUS guys have built a repository for all major Linux platforms, so you can upgrade to the newest without waiting for your distribution to catch up.
Didn't knew that, maybe i'll upgrade. Thanks for the notice.
is almost always wrong". Is the section Auth-Type LDAP { ldap }
now obsolete? Why is it there in the first place, since the comment above sounds to me pretty much like what i want.
Good question… I guess it would make sense to remove it… Arran? Alan? Am happy to send a patch to add both bits into the next release… :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Stefan Paetow wrote:
Good question… I guess it would make sense to remove it… Arran? Alan? Am happy to send a patch to add both bits into the next release… :-)
You can still list "ldap" in the "authenticate" section. It works. That functionality won't be removed. What was removed was the *automatic* setting of Auth-Type := LDAP. That worked sometimes, but was often wrong. Alan DeKok.
jopo jopo wrote:
This was exactly the thing that was missing. I didn't try this solution because it clearly says in the config files "Auth-Type = LDAP is almost always wrong". Is the section Auth-Type LDAP { ldap }
now obsolete?
No. FORCING "Auth-Type = LDAP" is wrong. USING ldap for PAP authentication is OK. Alan DeKok.
participants (3)
-
Alan DeKok -
jopo jopo -
Stefan Paetow