On Mon, 4 Apr 2005, Martin Pauly wrote:
Hello,
I'm using freeradius 1.0.1 with OpenLDAP as authentication backend. Authentication does work the usual way: First do an anonymous bind, then perform a search for some object representing the user (it's PosixAccount with CRYPTed UNIX passwords, nothing special at all), and finally use the search result to reconnect.
The point is: I _only_ need simple UNIX-like password checking, no NT-Passwords, no user Profiles, no other fancy stuff. Whats more, I know exactly where my accounts are located in the LDAP tree, i.e. I can predict the search result right from the start (provided the username does exist, of course).
So I would like to avoid the search step altogether and attempt to connect to LDAP with the account DN and the password immediately. Is this possible?
Put the ldap module only in the authenticate section, setup an Auth-Type to point to it and use the hints file to create an Ldap-UserDN attribute with the predicted user dn during the authorize section:
hints:
DEFAULT
Ldap-UserDn := `uid=%{User-Name:-DEFAULt},ou=people,dc=company,dc=com`I haven't tried the above scenario but i think it will work.
There to reasons behind this question:
1. Performance: Why do 3 Steps where 1 would be sufficient? (Yes, we do already experience performance problems with about 20,000 users in OpenLDAP).
2. Security: MUCH more important My friendly LDAP Admin is currently giving out privileges such as auth, read, or write on a per-machine basis in slapd.conf/slurpd.conf Actually, I could be happy with auth only, but for technical reasons, I now need 'read' privileges. So if my RADIUS server ever gets hacked, _all_ user passwords will be at risk. I know you can limit searching capabilities in OpenLDAP, but I would surely prefer to avoid needless searching in the first place.
Thanks for hints and replies Martin
-- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
