[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-devel
Subject:    Re: debugging rlm_ldap
From:       Adrian Pavlykevych <pam () polynet ! lviv ! ua>
Date:       2000-06-02 20:53:52
[Download RAW message or body]

On Fri, Jun 02, 2000 at 03:05:24PM -0400, Weston Bustraan wrote:
> 
> LDAP_USERDN for? How does it eliminate an LDAP lookup?
RLM_LDAP has two functions:
authorization (go/no-go)
authentication

They are called from the main radiusd program and the only info you have is passed \
through request structure to the functions.

So first in authorization phase, we need to locate LDAP object coresponding to radius \
username (one lookup), then check group membership (one more lookup).

If you are then going to authentication, you will need again to find DN of the LDAP \
object to make subsequent autenticated bind to verify user password.

So rad_authorize upon successfull authorization of the user appends DN of the object \
to request structure. As request is just a bunch of RADIUS attribute/value pairs, I \
had to define new attribute to store DN in. So, when rlm_authenticate is later \
called, it doesn't need to make directory lookup to find out DN and can proceed \
directly to binding/password verification phase.

In case, that LDAP module is configured to handle _only_ authentication, \
rlm_authenticate can't rely on prior knowledge of user's DN and does lookup by \
itself.

I hope my explanation made sense to you. Have a nice day!

-- 
Adrian Pavlykevych 			email: 		<pam@polynet.lviv.ua>
System Administrator			phone/fax:	+380 (322) 742041
State University "Lvivska Polytechnica"


[prev in list] [next in list] [prev in thread] [next in thread]