LDAP: Variables in "identity" setting

Phil Mayers p.mayers at imperial.ac.uk
Wed Dec 14 22:49:01 CET 2005


Derrick Woo wrote:
> Hello Phil,
> 
> I've removed "ldap" from the authorize section now, but now it's not 
> even connecting to the ldap server.  Am I overlooking something?


Weeellll... I must be honest, I've never actually used it myself (ducks 
:o) but that's certainly what the source and docs imply.

(goes off to try)

Ah, the users file *actually* needs to be:

DEFAULT Auth-Type := LDAP, Ldap-UserDN := `uid=%{User-Name},RESTOFDN`

...because the authenticate section has ldap as a conditional module:

authenticate {
   Auth-Type LDAP {
     ldap
   }
}

With the final above fixe, this definitely works for me. However, you 
should be aware of the implications of setting (forcing) Auth-Type in 
the users file - by forcing it to LDAP unconditionally you will prevent 
e.g. mschap, eap, etc. working at a later date (this is why it's 
generally not recommended, but for specific and limited circumstances 
where you're sure this is what you want, I guess it's ok)

You could put the "files" module last in the authorize section, and use:

DEFAULT Auth-Type = LDAP, Ldap-...

...which will only set the Auth-Type if it's not already set - then if 
e.g. mschap or eap match first, ldap won't attempt to sieze the request.

[Perhaps someone else could chip in with info about the implications of 
putting the "ldap" module as a non-conditional in "authenticate" - I was 
under the impression that all the modules in authenticate should be 
conditional because only one was ever called, but e.g. digest, pam, 
unix, eap don't seem to be?]



More information about the Freeradius-Users mailing list