freeradius-3.0.1 ldap authenticate
Jeroen.Scheerder at on2it.net
Wed Feb 26 10:50:42 CET 2014
Quoth A.L.M.Buxey at lboro.ac.uk (26 Feb 2014, 10:41):
> For security, the LDAP should not return attribute userPassword to
> if the server doesnt get a password - if using LDAP as your source,
> then how is it supposed to authenticate the user?
LDAP authentication can be done either by performing an authenticated bind to the LDAP server
- determine/lookup the relevant DN
- supply the relevant credentials
or by searching for the relevant LDAP object obtaining the relevant "password" attribute, and checking it.
I would agree the former approach makes more sense. Directory services should not disclose user credentials (cf. shadow password files).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 881 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Users