LDAP authorization for EAP-TLS authentication
Keith Moores
kmm6b at virginia.edu
Thu Mar 16 17:43:25 CET 2006
I'm trying to understand the relationship between the modules in the
authorize {} and authenticate {} sections and how it relates to the
directives defined in users. EAP-TLS works fine, but I can't seem to
figure how to get make the ldap authorization reject a user.
DEFAULT Auth-Type := eap, Autz-Type := ldap
authorize{
preprocess
ldap
eap
}
authenticate {
eap
}
ldap {
server = "our-server.itc.virginia.edu"
identity = "uid=uva-all,ou=ITC-User,ou=It,o=University of
Virginia,c=US"
password = "our-password"
basedn = "o=University of Virginia,c=US"
filter = "(wirelessAccess=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=Person)"
start_tls = no
access_attr = "wirelessAccess"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
access_attr_used_for_allow = yes
}
In the ldap server logs show multiple queries, which are not
returning anything.
This can be confirmed with:
ldapsearch -b "o=University of Virginia,c=US" wirelessAccess=kmm6b
wirelessAccess
which returns nothing. If nothing is returned shouldn't the
authorization fail? I'm missing something, hopefully not too obvious...
------------------------------------------------------------------------
Keith Moores <mailto:kmm6b at virginia.edu>
Network Systems
ITC-Communications and Systems Division
University of Virginia, ITC-2015 Ivy Rd Phone (434) 924-0621
Box 400324, Charlottesville, VA 22904-4324 Fax (434) 982-4715
More information about the Freeradius-Users
mailing list