On Fri, 2004-08-27 at 23:56, Alan DeKok wrote: > > However my ldap does not have the password, instead it acts as a proxy, > > it needs the password (in case from the radius server) > > Uh, no. > So... why not configure FreeRADIUS to do the kerberos authentication > itself? The server comes with a kerberos module. >
Hi Alan, thanks for the reply! Because freeradius is one small part of the whole system: ldap and kerberos auth system. Kerberos knows nothing but username-password pairs. LDAP knows nothing but username-attributes tuples. It's not my choice, however it would be nice if switch authentication, VPN usernames, wireless users, ssh accounts, windows domain logon accounts etc. would be all the same. The last two are. > > Is it possible to make freeradius to _give_ password to the ldap server, > > instead of requesting it? > > If you set Auth-Type = LDAP, then Access-Request packets containing > User-Password attributes will bind to the LDAP database, and > authenticate that way. How your LDAP server uses that password is up > to it. > Thanks, i'll try this. > But be warned that NOTHING other than PAP will work. CHAP, MS-CHAP, > etc. will all fail. > Understood. > > I believe that my radius has no business making decisions over one's > > password. > > Then why are you running RADIUS? > a) switches know nothing about kerberos, and i'm tired of configuring switch accounts on >50 devices b) kerberos does not do accounting Thanks for your reply, it helped me a lot! adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
