> -----Message d'origine----- > De : > [EMAIL PROTECTED] > radius.org > [mailto:[EMAIL PROTECTED] > sts.freeradius.org] De la part de Sundaram Divya-QDIVYA1 > Envoyé : jeudi 30 novembre 2006 23:51 > À : freeradius-users@lists.freeradius.org > Objet : FreeRadius and LDAP >
> We don't use openldap or eDirectory - which is what the docs > are Derived from. This shouldn't be an issue if your directory is really Ldap compliant. > The information for FreeRADIUS and LDAP seems to > suggest that I need to provide access to the LDAP server's > password to the service account that the FreeRADIUS Server uses. This is often required, but not always: if you are using an authentication protocol that transmits the password in cleatext to the radius server (such as PAP), you can avoid this. > What I need to understand is how to integrate FreeRADIUS with > an LDAP Server without exposing the (crypted) password > hashes. Any pointers on what I need to do for that? * Enable the ldap module in the authorize section (so that Auth-Type is set to LDAP [FR >= 1.1.3]) * if you are running FR <= 1.1.3 then you'll have to set Auth-Type = LDAP manually (see the "users" file from rlm_files or the rlm_sql module) * Enable the ldap module in the authenticate section as well (so that a simple ldap bind authentication is performed) * In the ldap configuration section, you can use an LDAP account that do not have read access to the userPassword attribute BUT === Remember that this is NOT compatible with a lot of authentication protocols (MSCHAP, CHAP, PEAP, ...). It is working for PAP and EAP-TTLS/PAP. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html