LDAP: Variables in "identity" setting

Derrick Woo dpywoo at gmail.com
Tue Dec 13 21:12:05 CET 2005


Hello Phil,

Thanks for your response.  However as I had mentioned in my post, this
particular LDAP server uses a person's username and password for binding.
There is no service account and anonymous binds are not allowed.  Commenting
out identity and password did not work.

Am I out of luck here?

On 12/13/05, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
> Derrick Woo wrote:
> > The LDAP server we have set up is used to authenticate users based on
> their
> > username and password.  If I were to query from the (Linux) command line
> > using ldapsearch, the query would appear as follows:
> >
> > ldapsearch -x -h ldap.domain.com -b ou=ldap,o=domain.com -D
> uid=XXX,ou=it,o=
> > domain.com -w 'YYY'
> >
> > Where XXX is a person's username and YYY is their password.  That means
> a
> > person can only query their own information and not anyone elses
> (unless, of
> > course, they have someone else's username and password).
> >
> >>From what I can see, it doesn't appear as though the %{User-Name}
> variable
> > can be used within the "identity" setting in freeRADIUS 1.0.1.  If
> that's
> > correct, does it mean freeRadius won't be able to be used for this
> > particular set up?  If I hardcode a test username and password in the
> > configuration as follows:
> >
> > server = "ldap.domain.com"
> > identity = "uid=XXX,ou=it,o=domain.com"
> > password = 'YYY'
> > basedn = "ou=ldap,o=domain.com"
> >
> > it binds correctly.  However, for our particular setup, both the
> username
> > and password's used to bind to the server need to be variable at run
> time.
>
> "identity" and "password" are the DN and password of a user representing
> the *server*, e.g.
>
> identity = "uid=freeRadiusServiceAccount,o=domain.com"
>
> ...the LDAP module first binds as identity, searches using the given
> "basedn" and "filter", then re-binds as the user, or returns access
> denied / not found.
>
> If you don't have a service account and allow anonymous binds (eek) just
> comment identity and password out.
>
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051213/a4ef4532/attachment.html>


More information about the Freeradius-Users mailing list