questions about RADIUS-LDAP integrations
Alan DeKok
aland at deployingradius.com
Mon Aug 30 12:40:26 CEST 2010
matteo at crs4.it wrote:
> I'm using freeradius since 1 month. I'm running freeradius 2.1.9 on
> fedora 13 with EAP-TTLS and PAP inside the tunnel. The users are
> authenticated against OpenLDAP. Even if the password is cleartext (PAP),
> it should be protected by the crypted tunnel. Then the first question is:
> Is this mechanism quite secure or do you suggest using another mechanism?
It's fine.
> If I'm not wrong, there should be two different methods to get
> authentication with LDAP as backend. The first is just pass the
> credentials to the ldap server and try to authenticate. The second is
> freeradius obtain the password from ldap, strip the header (i.e {crypt}
> ), take the first two characters of the salt and use it to crypt the
> password sent by the . If the two hash are the same, the user is
> authenticated. In this case wich is the best method and how the relevant
> files have to be modified? Should I modify also ldap.attmap?
The best method is to uncomment the "ldap" entries in
raddb/sites-enabled/default, and let the server figure it out.
i.e. Make minimal edits. *Don't* make a lot of changes.
Alan DeKok.
More information about the Freeradius-Users
mailing list