LDAP authorization for EAP-TLS authentication
Alan DeKok
aland at ox.org
Thu Mar 16 19:38:53 CET 2006
Keith Moores <kmm6b at virginia.edu> wrote:
> I'm trying to understand the relationship between the modules in the
> authorize {} and authenticate {} sections and how it relates to the
> directives defined in users.
The "users" file is just another "authorization" module.
See also doc/aaa.txt
> EAP-TLS works fine, but I can't seem to
> figure how to get make the ldap authorization reject a user.
See the ldap section of radiusd.conf. You can say "user is not
allowed for remote access"
> In the ldap server logs show multiple queries, which are not
> returning anything.
> This can be confirmed with:
> ldapsearch -b "o=University of Virginia,c=US" wirelessAccess=kmm6b
> wirelessAccess
> which returns nothing. If nothing is returned shouldn't the
> authorization fail?
No. Why would it? LDAP is just one possible database out of many.
You may have some users in LDAP, and others in SQL.
See doc/configurable_failover. You can configure the server to
reject users if the LDAP module returns NOOP.
Alan DeKok.
More information about the Freeradius-Users
mailing list