LDAP bind as user

Alan DeKok aland at deployingradius.com
Wed Aug 5 14:39:26 CEST 2009


Mark Saner wrote:
> I'm using freeradius 2.0.4 for eap-peap authentication with LDAP as my
> back end. Everything is working great (thanks to help from this mailing
> list). However I was wondering if there is a way to get RADIUS to bind
> to LDAP as the user that is trying to authenticate rather than the LDAP
> admin account. I recall reading somewhere that it is not recommended to
> do this but I can't remember where and I am not finding it as I search
> this morning.

  http://deployingradius.com/documents/protocols/compatibility.html

> Is it possible to bind to the LDAP database as the user trying to
> authenticate? If so how? If not or if it isn't desirable what
> suggestions do you have for a more secure way of binding to the LDAP
> server?

 It's not possible to do "bind as user" for PEAP.  This is because there
is no password in PEAP that can be used to "bind as user".

  You should use LDAP as a *database*, not as an authentication server.
 Have LDAP supply a password to FreeRADIUS, and FreeRADIUS will
authenticate the user.

  Alan DeKok.



More information about the Freeradius-Users mailing list