LDAP Config Clarification
Alan DeKok
aland at deployingradius.com
Wed Mar 18 13:11:15 CET 2009
Jason Frisvold wrote:
>>> DEFAULT Auth-Type := Reject
>>> Fall-Through = 1
>>
>> Huh? Why?
>
> I *thought* this was required, but apparently not?
No. the server will automatically reject anyone who isn't authenticated.
As a hint, the default config does *not* have that entry. So adding
it is likely "unusual".
>> Do you really want to accept these users without checking their
>> passwords? That's a *very* bad idea.
>
> I agree. What am I missing? I thought the user passwords were checked
> by the ldap module via the authentication section. Is that not correct?
Yes, they can be. But you're telling the server to *not* check
passwords. "Just accept the users... they're fine".
>> The group membership configurations should ensure that it's using the
>> memberOf attribute.
>
> Can you give me an example please? I'm not sure I understand...
See raddb/modules/ldap. Group checking is documented in the comments
there.
>> Why are you not checking passwords? That's a bad idea...
>
> I thought I was... Do I need more than this?
You need to use the *default* configuration files. Start with them.
Configure LDAP, and un-comment the references to "ldap" from the various
places in raddb/*. It should then work.
Alan DeKok.
More information about the Freeradius-Users
mailing list