LDAP authentication

Stefan Winter stefan.winter at restena.lu
Wed Aug 30 09:15:12 CEST 2006


>  I should have tried that mapping.
> It still doesn't work.
> I can perform radtest queries  username/LDAPpassword, and I get the accept
> response.
> If I use the query with username/remotepassword, I get rejected.

Okay, I can't verify what I propose now, so I might be wrong, but:

ldap is usually called twice: during authorize and authenticate. authorize is 
the section that pulls attributes out of LDAP using ldap.attrmap and is the 
one you need. In authenticate, it tries a bind with the user's name and 
password. This is NOT what you want, because the bind will fail. You could 
try to _comment out_ the following lines from your authenticate section

Auth-Type LDAP {

so that the bind isn't attempted. Not sure if that's enough though, since the 
ldap in authroze will set Auth-Type to LDAP by itself... But if it doesn't, 
someone else would need to jump in, that's beyond my experience. Maybe it's 
necessary to set Auth-Type to PAP in the users file manually then.


Stefan Winter


Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

More information about the Freeradius-Users mailing list