Authenticating groups via LDAP

John Maher john at
Sun May 23 20:01:17 CEST 2010

On 05/23/2010 11:27 AM, Alan DeKok wrote:

>   authorization != authentication
>   If there isn't a password... the user can't be authenticated.  The
> debug log shows this.

Yes, obviously an important distinction.  But where my mind goes
immediately is "why is it that if I enter an incorrect password for that
user that the user fails to gain access, but a correct password results
in access granted?".  But I imagine the answer is more complicated than
the difference between authentication and authorization, and probably
has something to do with some other authentication routine that takes
place later.  I have a lot to learn.

>> Anyway, a good resource for understanding how radius and its modules do
>> their jobs would be good to know about.
>   doc/rlm_ldap explains how the LDAP module is used, and how the
> "access" is checked.
>   Again... this *is* documented.  The filenames shouldn't be hard to
> figure out: doc/rlm_ldap should be pretty easy to find.
>   doc/aaa.txt explains how the authentication process works.
>   While the documentation isn't perfect, I'm not sure what you want.
> The questions you're asking are answered in the existing documentation,
> which is reasonably well organized.  (try: ls doc/*ldap* ...)

Thanks for the direction.  I'll study those now.


>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list