Avoiding ldapsearch on LDAP authentication

MAEDA Atusi maeda-freeradius at atusi.org
Tue Mar 21 11:11:50 CET 2006


Thanks for the reply.

On 3/21/06, Natalia Escalera <nescalera at gmail.com> wrote:

> It is my understanding that Freeradius uses Ldap search in order to
> authenticate users and that the Ldap bind is used to point to the
> location where the search will be done at the Ldap server.

Well, I'll quote from doc/rlm_ldap:

: When rlm_ldap has found the DN corresponding to the username provided in the
: access-request (all this happens in the authorize section) it will add an
: Ldap-UserDN attribute in the check items list containing that DN.
The attribute
: will be searched for in the authenticate section and if present will
be used for
: authentication (ldap bind with the user DN/password). Otherwise a search will
: be performed to find the user dn. If the administrator wishes to use rlm_ldap
: only for authentication or does not wish to populate the identity,password
: configuration attributes he can set this attribute by other means
and avoid the
: ldap search completely. For instance it can be set through the users
file in the
: authorize section:
:
: DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`

So, my understanding is that:
1. For authentication, Ldap-UserDn must be filled.  If bind with that
DN succeeds,
  authentication succeeds.
2. Ldap-UserDn can be filled in authorization phase, either via ldap
search, or in users file
  (like in the document above).

In the source file rlm_ldap.c, in the function ldap_authenticate(), if
pairfind(request->packet->vps, PW_LDAP_USERDN) returns non-NULL,
FR does no search and try ldap_connect with the DN found.  If ldap_connect
succeeeds, ldap_authenticate returns ok.
(vps means `value pairs' that represents list of variable-value pairs, I guess.)

If pairfind() returns NULL, FR invokes perform_search() using DN, password,
and filter given in radiusd.conf, and search for user DN.

So far, so good.  What I don't understand is that why Ldap-UserDn I wrote
in users file is not passed to ldap_authenticate()  (i.e. why pairfind() returns
NULL).

> >  rlm_ldap: object not found or got ambiguous search result
> Check your basedn in raddiusd.conf

Thanks, but I think the error is because FR binds anonymously.
(And I don't want to allow anonymous search for LDAP directory).

--maeda




More information about the Freeradius-Users mailing list