LDAP module

Alister Winfield alister at ticklers.org
Wed May 2 17:45:20 CEST 2012

Sometimes you just don't want to hard code the DN.... normally its when you have a reasonably large set of possible DNs to choose from especially if there isn't the appetite to remap/rebuild the structure of the LDAP directory to conform to a RADIUS friendly way of structuring things. Also its a really easy to filter out users based on attributes of their entry in the directory. eg a filter like ((cn=%user%) (status=active) (class=radiususer)) isn't an unusual thing to consider having.

On 2 May 2012, at 15:55, Alan DeKok wrote:

>  I'm taking a look at the LDAP module.  It's rather more complicated
> than I like.  I'm thinking of moving it to use the new connection pools.
>  I have a first draft which uses the connection pool to open the
> sockets.  But... the behavior of the module is hard to understand.  I'll
> start off with my thoughts:
> 1) connection pool is working.  They don't *do* anything, but they connect
> 2) authentication.  The "bind as user" code is simple.  But what's with
> the "perform_search" and "filter" stuff?  Why not use have a statically
> configured user DN?
>  I'd like to avoid some of the complexity of the current code.
>  So is the user DN really some arbitrarily changing value?  Do you
> really have to search over the entire DB for "uid=username" in order to
> find the user?
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

More information about the Freeradius-Devel mailing list