How LDAP Authentication works
Alan DeKok
aland at deployingradius.com
Fri Jun 22 13:25:48 CEST 2012
Tobias Hachmer wrote:
> The Test MS AD Server has domain functional level "2008 R2" and quite
> default settings.
Active directory is not really an LDAP server. The reasons are
complicated. It's almost an LDAP server, but it's different in critical
ways.
> In radiusd -X output the ldap module performs first the ldap bind with
> the identity which is configured in ldap module configuration. After
> that the ldap bind with user credentials provided in access-request packet:
...
> Is the first ldap bind really necessary or can I configure in ldap
> module something like "bind as user" to avoid the requirement to have a
> service user account in AD?
The first search is necessary to determine the User-DN to use for the
second search. You can't get rid of the read-only admin account. If
you set the LDAP-UserDN manually, you'll get rid of the first bind. But
the server needs the admin account for LDAP to work.
Alan DeKok.
More information about the Freeradius-Users
mailing list