FreeRadius and LDAP
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Fri Dec 1 10:21:44 CET 2006
> -----Message d'origine-----
> De :
> freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.free
> radius.org
> [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr at li
> sts.freeradius.org] De la part de Sundaram Divya-QDIVYA1
> Envoyé : jeudi 30 novembre 2006 23:51
> À : freeradius-users at lists.freeradius.org
> Objet : FreeRadius and LDAP
>
> We don't use openldap or eDirectory - which is what the docs
> are Derived from.
This shouldn't be an issue if your directory is really Ldap compliant.
> The information for FreeRADIUS and LDAP seems to
> suggest that I need to provide access to the LDAP server's
> password to the service account that the FreeRADIUS Server uses.
This is often required, but not always: if you are using an authentication
protocol that transmits the password in cleatext to the radius server (such
as PAP), you can avoid this.
> What I need to understand is how to integrate FreeRADIUS with
> an LDAP Server without exposing the (crypted) password
> hashes. Any pointers on what I need to do for that?
* Enable the ldap module in the authorize section (so that Auth-Type is set
to LDAP [FR >= 1.1.3])
* if you are running FR <= 1.1.3 then you'll have to set Auth-Type = LDAP
manually (see the "users" file from rlm_files or the rlm_sql module)
* Enable the ldap module in the authenticate section as well (so that a
simple ldap bind authentication is performed)
* In the ldap configuration section, you can use an LDAP account that do not
have read access to the userPassword attribute
BUT
===
Remember that this is NOT compatible with a lot of authentication protocols
(MSCHAP, CHAP, PEAP, ...).
It is working for PAP and EAP-TTLS/PAP.
HTH,
Thibault
More information about the Freeradius-Users
mailing list