LDAP Config Clarification
Jason Frisvold
xenophage0 at gmail.com
Wed Mar 18 16:03:58 CET 2009
Alan DeKok wrote:
> No. the server will automatically reject anyone who isn't authenticated.
>
> As a hint, the default config does *not* have that entry. So adding
> it is likely "unusual".
You are, of course, correct... :) I believe we resolved this now,
however. I removed the default reject and updated the ldap groups with
this :
DEFAULT Ldap-Group != "cn=vpn,ou=groups,o=myorg", Auth-Type := Reject
DEFAULT Ldap-Group == "cn=admin,ou=groups,o=myorg"
Class = ADMIN,
DEFAULT Ldap-Group == "cn=user,ou=groups,o=myorg"
Class = USER,
> Yes, they can be. But you're telling the server to *not* check
> passwords. "Just accept the users... they're fine".
I understand this now... What I have now appears to be working
properly. We tested all cases (with/without vpn group, good/bad password)
> See raddb/modules/ldap. Group checking is documented in the comments
> there.
Will do. Thanks a ton for the help...
> Alan DeKok.
--
---------------------------
Jason Frisvold
xenophage0 at gmail.com
---------------------------
"I love deadlines. I like the whooshing sound they make as they fly by."
- Douglas Adams
More information about the Freeradius-Users
mailing list