FR3.0 and LDAP

Alan DeKok aland at
Mon Aug 12 21:56:29 CEST 2013

A.L.M.Buxey at wrote:
> so, in previous release, in authorize, the 'ldap' call would
> set the authentication method to LDAP.....

  *Sometimes*.  If you configured the module to do that.  For 2.x, it
didn't always set "Auth-Type = LDAP"

>  in the new release
> I see the warning/text above the "Auth-Type LDAP" line... theres
> a conditional -ldap in authorize - which, if ldap module is correctly
> configured would still set authentication type?  

  No.  It's in the "authorize" section.  It will do LDAP authorization.
 Like grabbing the userPassword entry from LDAP.

> I assume that the CORRECT and really OLY way that you should be doing
> things now is use ldap in authorize to pull out the password
> entry


> and then the Auth-Type PAP

  Done by the PAP module.

> part of authenicate kicks in and uses
> that correct (because I cant see the PAP in authenticate
> kicking off a 'grab from LDAP' exercise... this means that the old
> 'check user in authorize' then 'check password in authenticate'
> model has been altered...

  Yes.  It's been altered for 4-5 years now.

  However, people don't tend to update their configurations.  And
third-party "howto's" don't get updated, either.

  Alan DeKok.

More information about the Freeradius-Devel mailing list