freeradius-3.0.1 ldap authenticate

Jeroen Scheerder Jeroen.Scheerder at
Wed Feb 26 10:50:42 CET 2014

Quoth A.L.M.Buxey at (26 Feb 2014, 10:41):

>  For security, the LDAP should not return attribute userPassword to
>>  freeradius.
> if the server doesnt get a password - if using LDAP as your source,
> then how is it supposed to authenticate the user?

LDAP authentication can be done either by performing an authenticated bind to the LDAP server
	- determine/lookup the relevant DN
	- supply the relevant credentials
or by searching for the relevant LDAP object obtaining the relevant "password" attribute, and checking it.

I would agree the former approach makes more sense.  Directory services should not disclose user credentials (cf. shadow password files).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list