Hi all, I'm trying to configure the server to use LDAP for authentication And am finding the documentation to be less than straightforward. We don't use openldap or eDirectory - which is what the docs are Derived from. The information for FreeRADIUS and LDAP seems to suggest that I need to provide access to the LDAP server's password to the service account that the FreeRADIUS Server uses. What I need to understand is how to integrate FreeRADIUS with an LDAP Server without exposing the (crypted) password hashes. Any pointers on what I need to do for that? I'd be happy to provide updated documentation once I have gotten it working. I'd appreciate any insights. Divya Sundaram ----------------------------- CONDITUR IN PETRA Let us realize that the privilege to work is a gift, that power to work is a blessing, that love of work is success. --David O. McKay ==============================================================
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.free radius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@li sts.freeradius.org] De la part de Sundaram Divya-QDIVYA1 Envoyé : jeudi 30 novembre 2006 23:51 À : freeradius-users@lists.freeradius.org Objet : FreeRadius and LDAP
We don't use openldap or eDirectory - which is what the docs are Derived from.
This shouldn't be an issue if your directory is really Ldap compliant.
The information for FreeRADIUS and LDAP seems to suggest that I need to provide access to the LDAP server's password to the service account that the FreeRADIUS Server uses.
This is often required, but not always: if you are using an authentication protocol that transmits the password in cleatext to the radius server (such as PAP), you can avoid this.
What I need to understand is how to integrate FreeRADIUS with an LDAP Server without exposing the (crypted) password hashes. Any pointers on what I need to do for that?
* Enable the ldap module in the authorize section (so that Auth-Type is set to LDAP [FR >= 1.1.3]) * if you are running FR <= 1.1.3 then you'll have to set Auth-Type = LDAP manually (see the "users" file from rlm_files or the rlm_sql module) * Enable the ldap module in the authenticate section as well (so that a simple ldap bind authentication is performed) * In the ldap configuration section, you can use an LDAP account that do not have read access to the userPassword attribute BUT === Remember that this is NOT compatible with a lot of authentication protocols (MSCHAP, CHAP, PEAP, ...). It is working for PAP and EAP-TTLS/PAP. HTH, Thibault
Sundaram Divya-QDIVYA1 wrote:
What I need to understand is how to integrate FreeRADIUS with an LDAP Server without exposing the (crypted) password hashes. Any pointers on what I need to do for that?
Bind as the LDAP user. PAP will work, nothing else will. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (3)
-
Alan DeKok -
Sundaram Divya-QDIVYA1 -
Thibault Le Meur