LDAP bind as user
Rokkhan
rokkhan at gmail.com
Wed Aug 5 14:55:42 CEST 2009
You could use ldap as authentication using EAP-TTLS.
2009/8/5 Alan DeKok <aland at deployingradius.com>:
> Mark Saner wrote:
>> I'm using freeradius 2.0.4 for eap-peap authentication with LDAP as my
>> back end. Everything is working great (thanks to help from this mailing
>> list). However I was wondering if there is a way to get RADIUS to bind
>> to LDAP as the user that is trying to authenticate rather than the LDAP
>> admin account. I recall reading somewhere that it is not recommended to
>> do this but I can't remember where and I am not finding it as I search
>> this morning.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
>> Is it possible to bind to the LDAP database as the user trying to
>> authenticate? If so how? If not or if it isn't desirable what
>> suggestions do you have for a more secure way of binding to the LDAP
>> server?
>
> It's not possible to do "bind as user" for PEAP. This is because there
> is no password in PEAP that can be used to "bind as user".
>
> You should use LDAP as a *database*, not as an authentication server.
> Have LDAP supply a password to FreeRADIUS, and FreeRADIUS will
> authenticate the user.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list