FR3.0 and LDAP

Maja Wolniewicz mgw at umk.pl
Tue Aug 13 10:01:36 CEST 2013


W dniu 12.08.2013 21:36, Alan DeKok pisze:
> Maja Wolniewicz wrote:
>> In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the
>> authorize section ends with Auth-Type=PAP, so authentication goes to the
>> PAP module.
>   That's what's supposed to happen when you use LDAP as a database.
>
>> I can't find a place in the FR3.0 source, where Auth-Type=LDAP is set -
>> in a few comments it is mentioned that such a setting  happens
>> automatically.
>> Am I missing something?
>   Nope.  You're supposed to let LDAP be a database, and FreeRADIUS be an
> authentication server.
That solution works well but the really drawback is that userPassword
attributes have to be readable by a user.
Our freeradius server uses a few of LDAP databases (depending on the
realm) and not all of them are under our control.
These without our control offer only the EAP-TTLS authentication so
there is no need to read a password attribute, only binding is allowed.
I doubt we could convince administrators of these databases to open
access to the userPassword attribute.

Maja

>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

-- 
Maja Gorecka-Wolniewicz          mgw at umk.pl
Uczelniane Centrum               Information & Communication
Informatyczne                    Technology Centre
Uniwersytet Mikolaja Kopernika   Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3393 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130813/8160852a/attachment.bin>


More information about the Freeradius-Devel mailing list