>> Do you really want to accept these users without checking their >> passwords? That's a *very* bad idea. > >I agree. What am I missing? I thought the user passwords were >checked by the ldap module via the authentication section. Is that >not correct? >
Remove those entries in users file. They are bypassing password checking. If you want to accept only some ldap groups use unlang. Something like: if(Ldap-Group == something || Ldap-Group == something_else) { ok } else { update control { Auth-Type := Reject } } >> The group membership configurations should ensure that it's using the >> memberOf attribute. > >Can you give me an example please? I'm not sure I understand... > Example is the default group membership query in raddb/modules/ldap. >> Why are you not checking passwords? That's a bad idea... > >I thought I was... Do I need more than this? > >authenticate { > Auth-Type LDAP { > ldap > } >} Yes. Auth-Type LDAP needs to be set. If you force Auth-Type Accept in users file this will never be used. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html