Configuring LDAP for query ONLY...

Eric Martell workoutexcite at yahoo.com
Tue Dec 4 18:40:01 CET 2007 

Hi,
  Is it possible to altogether avoid authenticate
section  and just do ldap lookups in the authorize
section?

authorize {
   ldap {
     notfound = reject
   }
}

The problem is in the authenticate section, radius
gets the userDN from the authorize and tries to "bind"
ldap with password which we don't have.

I also tried in users file
Ldap-UserDN := `cn=Manager,dc=eng,dc=com/answer2` 

But for some reason it is not working.

Please help.

Let me know if you need more information or please
guide me to any documentation.

Thanks and Regards,
Eric.





--- Eric Martell <workoutexcite at yahoo.com> wrote:

> I am little bit confused as how to configure
> radiusd.conf in the authorize and/or authenticate
> section. So password is going to act like ldap
> attribute.
> 
> We are going to pass, username and ldap attribute
> (home phone #) as input for each user.
> 
> The way it is configured now is in the modules,
> 
> ldap {
> server = "10.11.12.2"
> identity = "cn=Manager,dc=eng,dc=com"
> password = answer2
> basedn = "dc=eng,dc=com"
> 
> filter =
>
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(phone=1231313128))"
> // just for testing
> 
> ldap_connections_number = 5
> 
> timeout = 4
> 
> timelimit = 3
> 
> net_timeout = 1
> 
> }
> 
> 
> 
> 
> 
> authorize {
> ..
> ..
> ..
> ldap
> ...
> 
> }
> 
> authenticate {
>         Auth-Type LDAP {
>                 ldap
>         }
> }
> 
> 
> In the logs it says:
> 
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for test1
> radius_xlat:  '(&(uid=test1)(phone=1231313128))'
> radius_xlat:  'dc=eng,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: bind as cn=Manager,dc=eng,dc=com/answer2 
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=eng,dc=com, with
> filter (&(uid=test1)(phone=1231313128))
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user test1 authorized to use remote access
> 
> 
> this is good....
> But in the authenticate section
> 
> 
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "test1" with password
> "1231313128"
> rlm_ldap: user DN: id=1967816, dc=eng,dc=com
> rlm_ldap: bind as id=1967816,
> dc=eng,dc=com/1231313128
> 
> rlm_ldap: waiting for bind result ...
> rlm_ldap: id=1967816, dc=eng,dc=com bind to
> 10.11.12.2:389 failed Inappropriate authentication
> rlm_ldap: ldap_connect() failed
> 
> 
> 
> Not sure why it is trying to bind as id=1967816,
> dc=eng,dc=com/1231313128 
> 
> The only thing I want to do it, just authorize the
> ldap and pass the user through.
> 
> 
> Please let me know if I am missing something.
> 
> Thanks so much.
> 
> Regards,
> Erik.
> 
> 
> 
>      
>
____________________________________________________________________________________
> Be a better sports nut!  Let your teams follow you 
> with Yahoo Mobile. Try it now. 
>
http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
> 



      ____________________________________________________________________________________
Get easy, one-click access to your favorites. 
Make Yahoo! your homepage.
http://www.yahoo.com/r/hs

More information about the Freeradius-Users mailing list