Radius integration with LDAP (SASL)
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jan 17 15:18:41 CET 2012
On 17/01/12 13:39, vijay t wrote:
> [ldap] Added User-Password = {SASL}suresht in check items
This is all wrong.
{SASL}user is only meaningful to the LDAP server. You'll just confuse
FreeRADIUS with this; it won't work.
You need to understand what you're trying to accomplish:
1. PAP request comes into FreeRADIUS
2. FreeRADIUS performs LDAP search to find LDAP user DN
3. FreeRADIUS makes LDAP BIND with LDAP user DN & PAP password
Instead, you have FreeRADIUS doing this:
1. PAP request comes into FreeRADIUS
2. FreeRADIUS performs LDAP search to find LDAP user DN and "plaintext
password"
3. FreeRADIUS tries to perform authentication locally using the
"plaintext" password (actually {SASL}username)
I'm not sure how you can accomplish what you want. You probably need to
"hide" userPassword from FreeRADIUS, so that it can't see it.
Basically, you're doing something weird. You're going to have to try and
figure this out yourself, to a large extent.
More information about the Freeradius-Users
mailing list