Derrick Woo wrote:
The LDAP server we have set up is used to authenticate users based on their
username and password. If I were to query from the (Linux) command line
using ldapsearch, the query would appear as follows:
ldapsearch -x -h ldap.domain.com -b ou=ldap,o=domain.com -D uid=XXX,ou=it,o=
domain.com -w 'YYY'
Where XXX is a person's username and YYY is their password. That means a
person can only query their own information and not anyone elses (unless, of
course, they have someone else's username and password).
From what I can see, it doesn't appear as though the %{User-Name} variable
can be used within the "identity" setting in freeRADIUS 1.0.1. If that's
correct, does it mean freeRadius won't be able to be used for this
particular set up? If I hardcode a test username and password in the
configuration as follows:
server = "ldap.domain.com"
identity = "uid=XXX,ou=it,o=domain.com"
password = 'YYY'
basedn = "ou=ldap,o=domain.com"
it binds correctly. However, for our particular setup, both the username
and password's used to bind to the server need to be variable at run time.
"identity" and "password" are the DN and password of a user representing
the *server*, e.g.
identity = "uid=freeRadiusServiceAccount,o=domain.com"
...the LDAP module first binds as identity, searches using the given
"basedn" and "filter", then re-binds as the user, or returns access
denied / not found.
If you don't have a service account and allow anonymous binds (eek) just
comment identity and password out.
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
