Default radiusd.conf and Auth-Type LDAP comment
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Fri Sep 22 09:52:18 CEST 2006
> Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
>> * the inner PAP authentication is "processed" by the ldap module in
>> which I don't need to define which password hashing method is used (I
>> use at least CRYPT _and_ MD5 in the same directory for historical
>> reasons)
>
> Version 2.0 has fixes that make it much easier to handle multiple
> hashing types in the same LDAP database.
Yes, I remember having read something about this in the list... I'm
longing to test this release ;-)
>> * I don't need to have freeradius _read_ the passwords from the
>> directory: the DN identity defined in the ldap module can only have
>> auth and read access to radius entries but not to the passwords (which
>> in my point of view is more secure)
>
> If all you're doing is PAP, sure. Most wireless deployments use
> PEAP, and then people wonder why "bind as user" doesn't work. It's
> frustrating.
I understand (It's true that this list is nearly 30% about this kind of
issue despite the faqs on this) :-(
>> Again, I might not have caught your meaning: Are you saying that in the
>> future the standards ldap module will be only an authorization module,
>> and that a new ldap_bind module could be used in the authenticate
>> section ?
>
> I think it's a good idea.
Why not indeed ... (as long as there's a new ldap_bind module to
replace the ldap 'authentication' part ;-) ).
Thanks for this reply and for this great opensource project.
Regards,
Thibault
More information about the Freeradius-Users
mailing list