[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-devel
Subject: Re: debugging rlm_ldap
From: Adrian Pavlykevych <pam () polynet ! lviv ! ua>
Date: 2000-06-02 20:53:52
[Download RAW message or body]
On Fri, Jun 02, 2000 at 03:05:24PM -0400, Weston Bustraan wrote:
>
> LDAP_USERDN for? How does it eliminate an LDAP lookup?
RLM_LDAP has two functions:
authorization (go/no-go)
authentication
They are called from the main radiusd program and the only info you have is passed \
through request structure to the functions.
So first in authorization phase, we need to locate LDAP object coresponding to radius \
username (one lookup), then check group membership (one more lookup).
If you are then going to authentication, you will need again to find DN of the LDAP \
object to make subsequent autenticated bind to verify user password.
So rad_authorize upon successfull authorization of the user appends DN of the object \
to request structure. As request is just a bunch of RADIUS attribute/value pairs, I \
had to define new attribute to store DN in. So, when rlm_authenticate is later \
called, it doesn't need to make directory lookup to find out DN and can proceed \
directly to binding/password verification phase.
In case, that LDAP module is configured to handle _only_ authentication, \
rlm_authenticate can't rely on prior knowledge of user's DN and does lookup by \
itself.
I hope my explanation made sense to you. Have a nice day!
--
Adrian Pavlykevych email: <pam@polynet.lviv.ua>
System Administrator phone/fax: +380 (322) 742041
State University "Lvivska Polytechnica"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic