However, I am now experiencing a problem that I saw Kostas Kalevras and Ron Wahler discussing back in April. I couldn't find their resolution in the archive.
As I mentioned earlier, my ultimate goal is use rlm_ldap to authenticate the user without the initial search for the user. You say...
> Then don't list "ldap" in the "authorize" section.
Well, now I have...
DEFAULT Ldap-UserDN := `cn=%{User-Name},dc=richmond,dc=edu`, Auth-Type = ldap
authorize { files } authenticate { Auth-Type ldap { ldap1 } }
...and the whole thing works, except it's still doing the initial bind-and-search...
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=richmond,dc=edu/xxxxxxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=richmond,dc=edu, with filter (cn=ccarter)
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: user DN: cn=ccarter,dc=richmond,dc=edu
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as cn=ccarter,dc=richmond,dc=edu/yyyyyyyy to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user ccarter authenticated succesfully
This happens contrary to the last bit of advice in doc//freeradius-1.0.0/rlm_ldap.
Any suggestions? Thanks, Coates
On Aug 20, 2004, at 2:55 PM, Alan DeKok wrote:
Coates Carter <[EMAIL PROTECTED]> wrote:
The Autz-Type directive doesn't seem to behave the way I would expect, based upon what I read in doc/freeradius-1.0.0/Autz-Type .
Autz-Type is applied after the "authorize" section has been processed.
...In raddb/users...
DEFAULT Ldap-UserDN := `uid=%{User-Name},,dc=richmond,dc=edu`, Auth-Type = ldap, Autz-Type = ldap
If raddb/radiusd.conf has...
authorize { Autz-Type ldap { ldap1 } #ldap1 }
You haven't listed "files", so the "users" file will never be used, and the Autz-Type will never be set.
However if I change raddb/radiusd.conf so that...
authorize { #Autz-Type ldap { # ldap1 #} ldap1 }
... Then radiusd flows successfully through authorize and authenticate.
Because the "ldap" module sets "Auth-Type := LDAP", if it wasn't already set.
Ultimately, I want to prevent rlm_ldap from to doing the initial ldap search for the user, as described in doc/freeradius-1.0.0/rlm_ldap and just move on through to the authentication part--- where rlm_ldap binds as the user.
Then don't list "ldap" in the "authorize" section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html