disable password checking against ldap

[null) (null]

Thanks, Alan. It works.

sites-available/default:

("%{ldap:ldap://localhost:389/?uid?sub?(uid=%{User-Name})}") {
	accept
} else {
	reject
}

Question 1: How can I utilize the LDAP settings defined in mods-enabled/ldap instead of hardcoding the LDAP connection here?

Question 2: How can I implement load balancing across multiple LDAP servers to distribute the authentication load?

Thank you.



> On 10 Jul 2024, at 8:10 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Jul 10, 2024, at 6:04 AM, Kong Kai Chen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> 
>> In steel belted radius (SBR), we can setup sbr to do a simple bind to ldap database. 
>> In such as setup, sbr will omit password checking. If the bind is successful (meaning username is found in ldap) then reply accept being sent back to radius client.
>> When I try to do this in freeradius, it passes the authentication process to ldap and insists on checking the password. 
>> How can I disable the password checking in freeRadius?
> 
>  You don't "disable" password checking.  You just write an LDAP query which checks if the user exists.
> 
>  The normal ldap processing in FreeRADIUS does username / password checking.  So if you want to skip the password checks, then don't use the normal LDAP processing.
> 
>  The documentation contains examples of how to write LDAP queries.  The exact content depend on your local LDAP database and scheme.  But something like this should work:
> 
> 
> authorize {
> ...
> 
> if ("%{ldap: .... ldap query with %{User-Name} .. }")  {
> accept
> }
> ...
> }
> 
>  i.e. "if the query to find a user by name exists, then accept the user".
> 
>  Alan DeKok.
>