Issues getting SLES11 FreeRadius working with eDirectory

Michael Ströder michael at stroeder.com
Fri Apr 10 15:16:34 CEST 2015


Brian Boere wrote:
> Chris, I have added the "edir = yes" (also found some information about
> also adding edir_autz = yes) and it did not make a difference.

AFAIK edir = yes uses a Novell-specific LDAP extended operation for extracting 
the Universal Password from eDirectory as clear-text.

Not sure whether your security policy allows that. Personally I'd recommend 
not to use it. But that's me.

Special admin rights are needed in eDirectory for the FreeRADIUS system user 
to be allowed to do that.

IIRC you also must use an encrypted LDAP connection (LDAPS or StartTLS ext 
op.) when using this particular LDAP extended operation. That's probably what 
Christopher meant with "Modify the port you connect to eDirectory [..]".

Ciao, Michael.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150410/467ddefc/attachment.bin>


More information about the Freeradius-Users mailing list