> On Sat, Mar 10, 2012 at 3:23 AM, Phil Mayers <p.may...@imperial.ac.uk> wrote:
>> On Fri, Mar 09, 2012 at 10:59:46AM -0500, u...@3.am wrote:
>
>>> authenticate {
>>>
>>> #Auth-Type LDAP {
>>> redundant LDAP{
>>> ldap1
>>> ldap2
>>>
>>> }
>
>
>> Using "ldap" in the authenticate section is a bit tricky, and you'd be wise
>> to avoid it if you can - if the LDAP server will "give" you the password
>> (plaintext or crypted) you're better of doing that in "authorize" and
>> letting FreeRADIUS perform the auth using rlm_pap or whatever.
>
> Yes.
>
> So to save lots of time and configuration problem: does your LDAP
> store user passwords in clear text or any "common" hash (e.g. md5,
> unix)? If yes, AND you know what the LDAP attribute is, you don't even
> need an LDAP section in authenticate.
Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as
well. Assuming those hashes are "common" enough, what do I need to do?
I should point out that I had been using:
DEFAULT Auth-Type = Ldap
In the users file as well on the two older servers, despite docs that say that
it
is "almost always wrong", but it was the only way we got it working.
I switched the conf files to the way Phil suggested and it complained about
what I
was doing in the users file, so I just used the sample users file and it started
ok. I've not been able to test authenticating against it yet.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
