On Thu, 1 Apr 2004, Ron Wahler wrote:
> Is there a way to pass the current user and his password (assuming
> password in the clear) to the identity and password field, so the user
> can bind
> On there own account?
>
> So something like
>
>
> identity = "%{Stripped-User-Name:-%{User-Name}"
> password = "%{User-Password}"
Look in the list archives, this has been ansewered a few days ago.
In general identity/password is used for ldap searches, NOT for ldap
authentication. It is used to find the user dn from the provided username. If
you put the ldap module in the authenticate section it will do a bind with the
userdn/password and verify the user password.
>
>
>
>
>
>
> > -----Original Message-----
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, April 01, 2004 1:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: ldap section
> >
> > On Wed, 31 Mar 2004, Ron Wahler wrote:
> >
> > >
> > > Can you authenticate without the idenity and password filled out? I
> > > can't seem to get it to work without these fields filled out?
> >
> >
> > You need to setup the corresponding LDAP ACIs to allow search
> privileges
> > to
> > anonymous access (bad idea from a security point of view).
> > Or just create a search user with search permissions on your directory
> and
> > use
> > that one for identity/password
> >
> > >
> > > Thanks,
> > > Ron.
> > >
> > > ldap ldap_rp-eng{
> > > server = 10.0.0.25
> > > port = 389
> > > #identity = "[EMAIL PROTECTED]"
> > > #password = "tester"
> > > basedn = "cn=Users,dc=rp-eng,dc=com"
> > > filter =
> > > "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})"
> > > start_tls = no
> > > tls_mode = no
> > > timeout = 20
> > > net_timeout = 10
> > > timelimit = 20
> > > }
> > > [Ron Wahler]
> > >
> > >
> > >
> > > rlm_ldap: - authorize
> > > rlm_ldap: performing user authorization for rontest
> > > radius_xlat: '(SamAccountName=rontest)'
> > > radius_xlat: 'cn=Users,dc=rp-eng,dc=com'
> > > ldap_get_conn: Got Id: 0
> > > rlm_ldap: attempting LDAP reconnection
> > > rlm_ldap: (re)connect to 10.0.0.25:389, authentication 0
> > > rlm_ldap: bind as / to 10.0.0.25:389
> > > rlm_ldap: waiting for bind result ...
> > > rlm_ldap: Bind was successful
> > > rlm_ldap: performing search in cn=Users,dc=rp-eng,dc=com, with
> filter
> > > (SamAccountName=rontest)
> > > rlm_ldap: object not found or got ambiguous search result
> > > rlm_ldap: search failed
> > > ldap_release_conn: Release Id: 0
> > > modcall[authorize]: module "ldap_rp-eng" returns notfound for
> request
> > > 0
> > > modcall: group autztype returns notfound for request 0
> > > rad_check_password: Found Auth-Type rp-eng
> > > auth: type "rp-eng"
> > > Processing the authenticate section of radiusd.conf
> > > modcall: entering group authtype for request 0
> > > rlm_ldap: - authenticate
> > > rlm_ldap: login attempt by "rontest" with password "rontest"
> > > radius_xlat: '(SamAccountName=rontest)'
> > > radius_xlat: 'cn=Users,dc=rp-eng,dc=com'
> > > ldap_get_conn: Got Id: 0
> > > rlm_ldap: performing search in cn=Users,dc=rp-eng,dc=com, with
> filter
> > > (SamAccountName=rontest)
> > > rlm_ldap: object not found or got ambiguous search result
> > > ldap_release_conn: Release Id: 0
> > > modcall[authenticate]: module "ldap_rp-eng" returns notfound for
> > > request 0
> > > modcall: group authtype returns notfound for request 0
> > > auth: Failed to validate the user.
> > > Delaying request 0 for 1 seconds
> > > Finished request 0
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> >
> > --
> > Kostas Kalevras Network Operations Center
> > [EMAIL PROTECTED] National Technical University of Athens, Greece
> > Work Phone: +30 210 7721861
> > 'Go back to the shadow' Gandalf
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
