freeradius + ldap
Josip Rodin
joy at entuzijast.net
Thu Dec 2 12:38:36 CET 2010
On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote:
> > Add LDAP into the authenticate section, so that it simply tries to re-bind
> > with the provided credentials? Like this:
> >
> > Auth-Type LDAP {
> > ldapPerson
> > }
> >
>
> I try this configuration too, but it doesn't work for me. Freeradius doesn't
> set the value to Auth-Type attribute. I thik that this is because the
> userPassword attribute is only visible to each particular user when binds.
This is an orthogonal issue; you don't have to allow anyone to read the
value of the userPassword attribute, you just have to get the FR ldap
module to *bind* to the LDAP server with the username and password from
the request. Then the LDAP server verifies it against whatever it needs
in the background, and you don't care.
> # Executing section authorize from file /etc/freeradius/sites-enabled/test
> +- entering group authorize {...}
> [ldapPerson] bind as / to ldap.unex.es:389
> [ldapPerson] waiting for bind result ...
> [ldapPerson] Bind was successful
This is log output for an anonymous bind in authorize section ("bind as /
to" means "bind as <no user>/<no password>"). What is the output for the
authenticated bind, that happens in the authenticate section?
--
2. That which causes joy or happiness.
More information about the Freeradius-Users
mailing list