Hello again. Ok, now I can authenticate an user using LDAP. I'm using freeradius 2.1.10 and I want to use ldap like a backend in > authorize section to take userPassword attribute (unix crypt) to > authenticate the user. > My problem is: the ldap server don't have public key that an admin user (who > bind) can take. So I have to bind in the authorize section with the user and > password (clear text) in the request. > Is this posible? >
I have read that this is not ok http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html > What are my posibilities? > I think that what I can do is: - in authorize section bind like anonymous user and take the public attributes that I need to authorize the user. - in authenticate section bind like the user who want to access The configuration that work: LDAP MODULE ldap ldapPerson{ server = "xxx" basedn = "ou=people,dc=unex,dc=es" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration update control { Auth-Type := "LDAP" } } authenticate { Auth-Type LDAP { ldapPerson } } } DEBUG rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145, length=58 User-Name = "aigalla...@unex.es" User-Password = "xxxx" server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm "unex.es" for User-Name = "aigalla...@unex.es" [suffix] Found realm "unex.es" [suffix] Adding Stripped-User-Name = "aigallardo" [suffix] Adding Realm = "unex.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} -> aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to x.x.x.x:389, authentication 0 [ldapPerson] bind as / to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez..." WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop ++[control] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/test +- entering group LDAP {...} [ldapPerson] login attempt by "aigallardo" with password "xxxx" [ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es [ldapPerson] (re)connect to x.x.x.x:389, authentication 1 [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/xxxxx to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] user aigallardo authenticated succesfully ++[ldapPerson] returns ok } # server test Sending Access-Accept of id 145 to x.x.x.x port 48259 Nombre-Completo = "Ana-Isabel Gallardo Gomez..." I don't know if this is the best way to solve my problem, I someone have something better, I would like to know. Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html