rlm_ldap behavior: authorize v.s. authenticate
Brian A. Seklecki
lavalamp at spiritual-machines.org
Fri Dec 9 21:55:51 CET 2005
On Fri, 9 Dec 2005, Dusty Doris wrote:
>>> From reading debug logs, am I correct in concluding that rlm_ldap's
>> Correct, as the default behavior?
>
> Sounds right to me.
I have to ask then:
If on the authorization stage, the module can read (and cache) the entire
DN's attribute set (actually, any DN in the LDAP), why does it need to use
a "re-connect as the user" method for authentication? If the password in
cleartext, comparison is easy. If it's in SSHA/SHA/MD5/blowfish/crypt,
then the comparison can happen against those algorithms.
~BAS
>
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list