freeradius-3.0.1 ldap authenticate
Jeroen Scheerder
Jeroen.Scheerder at on2it.net
Wed Feb 26 10:50:42 CET 2014
Quoth A.L.M.Buxey at lboro.ac.uk (26 Feb 2014, 10:41):
> For security, the LDAP should not return attribute userPassword to
>> freeradius.
>
>
> if the server doesnt get a password - if using LDAP as your source,
> then how is it supposed to authenticate the user?
LDAP authentication can be done either by performing an authenticated bind to the LDAP server
- determine/lookup the relevant DN
- supply the relevant credentials
or by searching for the relevant LDAP object obtaining the relevant "password" attribute, and checking it.
I would agree the former approach makes more sense. Directory services should not disclose user credentials (cf. shadow password files).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140226/0ac6911a/attachment.pgp>
More information about the Freeradius-Users
mailing list