How LDAP Authentication works

Tobias Hachmer lists at kokelnet.de
Fri Jun 22 12:06:35 CEST 2012 

On 22.06.2012 10:18, Fajar A. Nugraha wrote:
>> But is this identity also needed for authentication only?
>
> There are several ways you can use LDAP for authentication. For
> "normal" LDAP servers which stores user password in an accessible
> attribute with optional supported encrypted schema, you only need 
> ldap
> module in authorization phase to get the attribute. This is the
> recommended method. Other FR modules (pap, mschap) will then process
> the password attribute and compare it to the one in the request.
>
> If the LDAP server does not expose user password, or store them in an
> unsupported encryption schema, then you need to do ldap bind. However
> in order to do that the request needs to be PAP, because you need the
> password that user inputs in plain text (i.e. user-password request
> attribute).
>
> Either way, you need the identity to get user attributes from the 
> LDAP
> server during authorization phase. Without those attributes,
> authentication phase will fail.

Hmm, and when I only just want to authenticate users which are 
connecting via ssh to a network device I can always do PAP.
In my tests I have temporarily set Auth-Type of a user to ldap. In 
"authorize" section I commented out the ldap module. So the ldap module 
is only active in "authentication" section.
The Test MS AD Server has domain functional level "2008 R2" and quite 
default settings.
In radiusd -X output the ldap module performs first the ldap bind with 
the identity which is configured in ldap module configuration. After 
that the ldap bind with user credentials provided in access-request 
packet:

Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
++- entering redundant-load-balance group redundant-load-balance {...}
[ldap3] login attempt by "a160admin-hachmer" with password "abc123!"
[ldap3]         expand: %{Stripped-User-Name} ->
[ldap3]         ... expanding second conditional
[ldap3]         expand: %{User-Name} -> a160admin-hachmer
[ldap3]         expand: 
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(sAMAccountName=a160admin-hachmer)
[ldap3]         expand: dc=1632labor,dc=local -> dc=1632labor,dc=local
   [ldap3] ldap_get_conn: Checking Id: 0
   [ldap3] ldap_get_conn: Got Id: 0
   [ldap3] attempting LDAP reconnection
   [ldap3] (re)connect to ldaps://radiustestwdc3.1632labor.local, 
authentication 0
   [ldap3] setting TLS CACert File to /etc/raddb/certs/1632labor.pem
   [ldap3] setting TLS Require Cert to demand
   [ldap3] bind as 
cn=a160sa-freeradius,cn=Users,dc=1632labor,dc=local/abc321! to 
ldaps://radiustestwdc3.1632labor.local
   [ldap3] waiting for bind result ...
   [ldap3] Bind was successful
   [ldap3] performing search in dc=1632labor,dc=local, with filter 
(sAMAccountName=a160admin-hachmer)
   [ldap3] ldap_release_conn: Release Id: 0
[ldap3] user DN: CN=Tobias Hachmer,OU=1632User,DC=1632labor,DC=local
   [ldap3] (re)connect to ldaps://radiustestwdc3.1632labor.local, 
authentication 1
   [ldap3] setting TLS CACert File to /etc/raddb/certs/1632labor.pem
   [ldap3] setting TLS Require Cert to demand
   [ldap3] bind as CN=Tobias 
Hachmer,OU=1632User,DC=1632labor,DC=local/abc123! to 
ldaps://radiustestwdc3.1632labor.local
   [ldap3] waiting for bind result ...
   [ldap3] Bind was successful
[ldap3] user a160admin-hachmer authenticated succesfully
+++[ldap3] returns ok

Is the first ldap bind really necessary or can I configure in ldap 
module something like "bind as user" to avoid the requirement to have a 
service user account in AD?

Regards,
Tobias Hachmer

More information about the Freeradius-Users mailing list