Authenticating groups via LDAP

Alan DeKok aland at deployingradius.com
Sun May 23 17:27:19 CEST 2010


John Maher wrote:
> Thanks for this information. Being very new to radius, and a bit sloppy
> with my wording, I was not clear about what I was looking for. It's true
> that the function of the different config files not that complicated.
> What is not clear to me, when looking at the output of freeradius -X
> that is generated from a user's connection attempt, is the sequencing
> and reasoning behind the output.

  Well.. it does a lot.  Remember, this isn't...

DNS: what is the IP for name X?

DHCP: please allocate an IP for MAC Y, I'm on switch X port Y

  RADIUS is *enormously* more complicated.  As a result, the
configuration files are more complicated, and the debug output is more
complicated.

> For example, the output I posted included this:
...
> I don't understand several things from this, but one example is why does
> it state:
> 
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> 
> and the next line states:
> 
> [ldap] user jmaher authorized to use remote access
> 
> ?

  authorization != authentication

  If there isn't a password... the user can't be authenticated.  The
debug log shows this.

> Anyway, a good resource for understanding how radius and its modules do
> their jobs would be good to know about.

  doc/rlm_ldap explains how the LDAP module is used, and how the
"access" is checked.

  Again... this *is* documented.  The filenames shouldn't be hard to
figure out: doc/rlm_ldap should be pretty easy to find.

  doc/aaa.txt explains how the authentication process works.

  While the documentation isn't perfect, I'm not sure what you want.
The questions you're asking are answered in the existing documentation,
which is reasonably well organized.  (try: ls doc/*ldap* ...)

  Alan DeKok.



More information about the Freeradius-Users mailing list