On Fri, Jun 22, 2012 at 1:30 PM, Tobias Hachmer <li...@kokelnet.de> wrote:
> In LDAP module configuration I set an identity. For my understanding this is > for the ldap bind user. With this identity FR will get access to the ldap > database, to do groupmembership information or attributes and so on. correct. > But is this identity also needed for authentication only? There are several ways you can use LDAP for authentication. For "normal" LDAP servers which stores user password in an accessible attribute with optional supported encrypted schema, you only need ldap module in authorization phase to get the attribute. This is the recommended method. Other FR modules (pap, mschap) will then process the password attribute and compare it to the one in the request. If the LDAP server does not expose user password, or store them in an unsupported encryption schema, then you need to do ldap bind. However in order to do that the request needs to be PAP, because you need the password that user inputs in plain text (i.e. user-password request attribute). Either way, you need the identity to get user attributes from the LDAP server during authorization phase. Without those attributes, authentication phase will fail. > > In my setup I just want to authenticate my users against Microsoft Active > Directory, authorization will be done through sql. > So I thought about if I need the bind user. Am I right with this: > FR or the ldap module will test if the username/password combination is > correct against ldap. For that it will do a simple ldap bind with the > credentials from access-request packet. So, is the identity really needed > for authentication or is my understanding here wrong? > Please point me to the right... windows clients will use peap-mschapv2 for 802.1x. That means no user-password attribute in access-request packet, which means you can't do LDAP bind. AD will not give out the encrypted user's password either. So in this case you'll also need ntlm_auth and do some special setup in FR. Read http://deployingradius.com/documents/configuration/active_directory.html for details. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html