LDAP Config Clarification
tnt at kalik.net
tnt at kalik.net
Tue Mar 17 17:48:08 CET 2009
>> Do you really want to accept these users without checking their
>> passwords? That's a *very* bad idea.
>
>I agree. What am I missing? I thought the user passwords were
>checked by the ldap module via the authentication section. Is that
>not correct?
>
Remove those entries in users file. They are bypassing password checking.
If you want to accept only some ldap groups use unlang. Something like:
if(Ldap-Group == something || Ldap-Group == something_else) {
ok
}
else {
update control {
Auth-Type := Reject
}
}
>> The group membership configurations should ensure that it's using the
>> memberOf attribute.
>
>Can you give me an example please? I'm not sure I understand...
>
Example is the default group membership query in raddb/modules/ldap.
>> Why are you not checking passwords? That's a bad idea...
>
>I thought I was... Do I need more than this?
>
>authenticate {
> Auth-Type LDAP {
> ldap
> }
>}
Yes. Auth-Type LDAP needs to be set. If you force Auth-Type Accept in
users file this will never be used.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list