How LDAP Authentication works

Fajar A. Nugraha list at fajar.net
Fri Jun 22 10:18:46 CEST 2012


On Fri, Jun 22, 2012 at 1:30 PM, Tobias Hachmer <lists at kokelnet.de> wrote:

> In LDAP module configuration I set an identity. For my understanding this is
> for the ldap bind user. With this identity FR will get access to the ldap
> database, to do groupmembership information or attributes and so on.

correct.

> But is this identity also needed for authentication only?

There are several ways you can use LDAP for authentication. For
"normal" LDAP servers which stores user password in an accessible
attribute with optional supported encrypted schema, you only need ldap
module in authorization phase to get the attribute. This is the
recommended method. Other FR modules (pap, mschap) will then process
the password attribute and compare it to the one in the request.

If the LDAP server does not expose user password, or store them in an
unsupported encryption schema, then you need to do ldap bind. However
in order to do that the request needs to be PAP, because you need the
password that user inputs in plain text (i.e. user-password request
attribute).

Either way, you need the identity to get user attributes from the LDAP
server during authorization phase. Without those attributes,
authentication phase will fail.

>
> In my setup I just want to authenticate my users against Microsoft Active
> Directory, authorization will be done through sql.
> So I thought about if I need the bind user. Am I right with this:
> FR or the ldap module will test if the username/password combination is
> correct against ldap. For that it will do a simple ldap bind with the
> credentials from access-request packet. So, is the identity really needed
> for authentication or is my understanding here wrong?
> Please point me to the right...

windows clients will use peap-mschapv2 for 802.1x. That means no
user-password attribute in access-request packet, which means you
can't do LDAP bind.

AD will not give out the encrypted user's password either. So in this
case you'll also need ntlm_auth and do some special setup in FR. Read
http://deployingradius.com/documents/configuration/active_directory.html
for details.

-- 
Fajar


More information about the Freeradius-Users mailing list