freeradius + ldap

Josip Rodin joy at
Thu Dec 2 12:38:36 CET 2010

On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote:
> > Add LDAP into the authenticate section, so that it simply tries to re-bind
> > with the provided credentials? Like this:
> >
> >        Auth-Type LDAP {
> >                ldapPerson
> >        }
> >
> I try this configuration too, but it doesn't work for me. Freeradius doesn't
> set the value to Auth-Type attribute. I thik that this is because the
> userPassword attribute is only visible to each particular user when binds.

This is an orthogonal issue; you don't have to allow anyone to read the
value of the userPassword attribute, you just have to get the FR ldap
module to *bind* to the LDAP server with the username and password from
the request. Then the LDAP server verifies it against whatever it needs
in the background, and you don't care.

> # Executing section authorize from file /etc/freeradius/sites-enabled/test
> +- entering group authorize {...}
>   [ldapPerson] bind as / to
>   [ldapPerson] waiting for bind result ...
>   [ldapPerson] Bind was successful

This is log output for an anonymous bind in authorize section ("bind as /
to" means "bind as <no user>/<no password>"). What is the output for the
authenticated bind, that happens in the authenticate section?

     2. That which causes joy or happiness.

More information about the Freeradius-Users mailing list