On Mon, 15 Mar 2004, Tariq Rashid wrote: > > >> even my initial look at the ldap module was confusing as the exmaples > simpy > >> connect to the ldap server using the supplied usernamer and password. > this > >> is not what i want, i want to connect using a standard signle username > and > >> use the supplied User-Name to obtain various records... > > >This is wrong, the ldap module will connect with the supplied > username/password > >for user authentication. Use authorization (ldap attributes extraction) is > >performed by connecting to the ldap server with the username/password > specified > >in the module configuration > > there is a difference - the Steel-Belted Radius server documentation > explains it well and allow syou to make the choice: > (1) you connect to the ldap server using the supplied > username/password > if the connection succeeds, the password is valid > > (2) you bind using a standard username/password unrelated to any > users/clients > you then search for records using the User-Name fields and match > a > password field > - from this user record - you can read and act upon other > attributes > such as (filtered? unmetered? tunnel attributes (not all users > are human))
The same choise exists in freeradius also. The ldap module on startup opens up <connections_number> connections to the ldap server connecting with the DN/password defined in the module configuration. These connections are used to read ldap attributes from the ldap server. Then you can either extract the user password and use that for authentication (using the pap/chap/mschap/eap modules) or use the ldap module for authentication by binding with the user credentials. > > it is the second which i am currently doign with radiator but would like to > use freeradius. with radiator, the "environment" consisting of the request, > reply, check and ldap attributes are passed to user defined hooks, which can > then use them to delete, modify or add pairs, or do ldap/sql lookups. > > i'd like to use freeradius for 3 major reasons: > * multi-threaded - can be taken advantage of given better OSes (eg > linux 2.6, NPTL) > * modules are like objects of classes - and so there is an > opportunity to > have multiple instances and also to do constructir/destructior > type work > eg hold open connections (radiator can't, you have to open/close > for every request > as far as i can tell) > * its smaller, lighter and faster than doing it in Perl! > > tariq > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
