LDAP module
Sven Hartge
sven at svenhartge.de
Wed May 2 17:44:01 CEST 2012
Alan DeKok wrote in gmane.comp.freeradius.devel:
> 2) authentication. The "bind as user" code is simple. But what's with
> the "perform_search" and "filter" stuff? Why not use have a statically
> configured user DN?
> I'd like to avoid some of the complexity of the current code.
> So is the user DN really some arbitrarily changing value? Do you
> really have to search over the entire DB for "uid=username" in order to
> find the user?
Yes, you have, because you cannot know the whole DN before you search
for the object in question.
Consider the following tree layout:
uid=manager,dc=company,dc=com
userPassword={clear}verysecure
uid=foo,ou=users,ou=germany,dc=company,dc=com
userPassword={clear}passw0rd
uid=bar,ou=users,ou=france,dc=company,dc=com
userPassword={clear}dontcare
A static DN would not be enough the find all users.
To make things worse: the DN may not contain the username at all, like
so:
cn=Sven Hartge,ou=users,ou=germany,dc=company,dc=com
uid=s_hartge
userPassword={clear}something
So you _have_ to first search and filter, then use the gathered DN to
either bind() or collect the password. There is no way around.
Grüße,
Sven.
--
Sigmentation fault. Core dumped.
More information about the Freeradius-Devel
mailing list