How to configure non-priveleged LDAP bind in FreeRADIUS 3.0.11

Bogdan Rudas brudas at exadel.com
Mon Sep 5 21:36:27 CEST 2016 

On Mon, Sep 5, 2016 at 4:31 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Sep 5, 2016, at 9:24 AM, Bogdan Rudas via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > I would like to configure LDAP authentication for WiFi users with
> OpenLDAP
> > back-ends (passwords are hashed). To perform initial bind to LDAP
> database
> > I use restricted account which can read directory tree, determine DN on
> > user and most of it's attributes but can't read passwords hashes.
>
>   That's may work, if you configure it correctly.
>
> > Then I
> > expect FreeRadius to bind with DN found on previous step and
> user-supplied
> > password.
>
>   Does the rlm_ldap module documentation say it does that?
>
> > When I use admin user account (which can read password hashes) for
> initial
> > bind, authentication test with *radtest *works well, but it is not what I
> > want to do.
>
>   Why not?
>
> > I want to keep my OpenLDAP password policy working, this requires true
> LDAP
> > bind attempt with credential of end-user.
> >
> > My final destination is EAP-TTLS with PAP inside. Please, help me to
> > establish desired LDAP authorization schema. As far as I know it was
> > possible in FreeRadius 2.1.x and I believe some additional configuration
> > required here.
>
>   You have to force Auth-Type LDAP.
>
> authorize {
>         ...
>         pap
>         if (noop && User-Password) {
>                 update control {
>                         Auth-Type := LDAP
>                 }
>         }
> }
>
>   Do this in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel.
> And also add "ldap" to the "authenticate" section for both virtual servers.
>
>
>

Thank you, this helps.
I had to enable in both 'servers'




*        Auth-Type LDAP {                ldap        }*
Otherwise, server complains on "Unknown or invalid value "LDAP" for
attribute Auth-Type"





-- 
Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.

More information about the Freeradius-Users mailing list