disable password checking against ldap
Alan DeKok
aland at deployingradius.com
Wed Jul 10 12:10:49 UTC 2024
On Jul 10, 2024, at 6:04 AM, Kong Kai Chen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> In steel belted radius (SBR), we can setup sbr to do a simple bind to ldap database.
> In such as setup, sbr will omit password checking. If the bind is successful (meaning username is found in ldap) then reply accept being sent back to radius client.
> When I try to do this in freeradius, it passes the authentication process to ldap and insists on checking the password.
> How can I disable the password checking in freeRadius?
You don't "disable" password checking. You just write an LDAP query which checks if the user exists.
The normal ldap processing in FreeRADIUS does username / password checking. So if you want to skip the password checks, then don't use the normal LDAP processing.
The documentation contains examples of how to write LDAP queries. The exact content depend on your local LDAP database and scheme. But something like this should work:
authorize {
...
if ("%{ldap: .... ldap query with %{User-Name} .. }") {
accept
}
...
}
i.e. "if the query to find a user by name exists, then accept the user".
Alan DeKok.
More information about the Freeradius-Users
mailing list