[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: questions about RADIUS-LDAP integrations
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2010-08-30 10:40:26
Message-ID: 4C7B8A9A.6030907 () deployingradius ! com
[Download RAW message or body]

matteo@crs4.it wrote:
> I'm using freeradius since 1 month. I'm running freeradius 2.1.9 on
> fedora 13 with EAP-TTLS and PAP inside the tunnel. The users are
> authenticated against OpenLDAP. Even if the password is cleartext (PAP),
> it should be protected by the crypted tunnel. Then the first question is:
> Is this mechanism quite secure or do you suggest using another mechanism?

  It's fine.

> If I'm not wrong, there should be two different methods to get
> authentication with LDAP as backend. The first is just pass the
> credentials to the ldap server and try to authenticate. The second is
> freeradius obtain the password from ldap, strip the header (i.e {crypt}
> ), take the first two characters of the salt and use it to crypt the
> password sent by the . If the two hash are the same, the user is
> authenticated. In this case wich is the best method and how the relevant
> files have to be modified? Should I modify also ldap.attmap?

  The best method is to uncomment the "ldap" entries in
raddb/sites-enabled/default, and let the server figure it out.

  i.e. Make minimal edits.  *Don't* make a lot of changes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]