LDAP authorization for EAP-TLS authentication

Alan DeKok aland at ox.org
Thu Mar 16 19:38:53 CET 2006


Keith Moores <kmm6b at virginia.edu> wrote:
> I'm trying to understand the relationship between the modules in the  
> authorize {} and authenticate {} sections and how it relates to the  
> directives defined in users.

  The "users" file is just another "authorization" module.

  See also doc/aaa.txt

>  EAP-TLS works fine, but I can't seem to  
> figure how to get make the ldap authorization reject a user.

  See the ldap section of radiusd.conf.  You can say "user is not
allowed for remote access"

> In the ldap server logs show multiple queries, which are not  
> returning anything.
> This can be confirmed with:
> ldapsearch -b "o=University of Virginia,c=US" wirelessAccess=kmm6b  
> wirelessAccess
> which returns nothing.  If nothing is returned shouldn't the  
> authorization fail?

  No.  Why would it?  LDAP is just one possible database out of many.
You may have some users in LDAP, and others in SQL.

  See doc/configurable_failover.  You can configure the server to
reject users if the LDAP module returns NOOP.

  Alan DeKok.






More information about the Freeradius-Users mailing list