LDAP: Variables in "identity" setting
Phil Mayers
p.mayers at imperial.ac.uk
Wed Dec 14 22:49:01 CET 2005
Derrick Woo wrote:
> Hello Phil,
>
> I've removed "ldap" from the authorize section now, but now it's not
> even connecting to the ldap server. Am I overlooking something?
Weeellll... I must be honest, I've never actually used it myself (ducks
:o) but that's certainly what the source and docs imply.
(goes off to try)
Ah, the users file *actually* needs to be:
DEFAULT Auth-Type := LDAP, Ldap-UserDN := `uid=%{User-Name},RESTOFDN`
...because the authenticate section has ldap as a conditional module:
authenticate {
Auth-Type LDAP {
ldap
}
}
With the final above fixe, this definitely works for me. However, you
should be aware of the implications of setting (forcing) Auth-Type in
the users file - by forcing it to LDAP unconditionally you will prevent
e.g. mschap, eap, etc. working at a later date (this is why it's
generally not recommended, but for specific and limited circumstances
where you're sure this is what you want, I guess it's ok)
You could put the "files" module last in the authorize section, and use:
DEFAULT Auth-Type = LDAP, Ldap-...
...which will only set the Auth-Type if it's not already set - then if
e.g. mschap or eap match first, ldap won't attempt to sieze the request.
[Perhaps someone else could chip in with info about the implications of
putting the "ldap" module as a non-conditional in "authenticate" - I was
under the impression that all the modules in authenticate should be
conditional because only one was ever called, but e.g. digest, pam,
unix, eap don't seem to be?]
More information about the Freeradius-Users
mailing list