From: kkalev Date: Sat, 3 Apr 2004 20:28:12 +0000 (+0000) Subject: Add a few comments on the user of the Ldap-UserDN attribute X-Git-Tag: release_1_0_0_pre1~174 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=8fc308a2c37f2ff3387bcfbf5b2f00b75419d39c;p=freeradius.git Add a few comments on the user of the Ldap-UserDN attribute --- diff --git a/doc/rlm_ldap b/doc/rlm_ldap index c6fa4d0..ccfe243 100644 --- a/doc/rlm_ldap +++ b/doc/rlm_ldap @@ -283,6 +283,19 @@ DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" +USERDN Attribute: +When rlm_ldap has found the DN corresponding to the username provided in the access-request +(all this happens in the authorize section) it will add an Ldap-UserDN attribute in the check +items list containing that DN. The attribute will be searched for in the authenticate section +and if present will be used for authentication (ldap bind with the user DN/password). Otherwise +a search will be performed to find the user dn. If the administrator wishes to use rlm_ldap only +for authentication or does not wish to populate the identity,password configuration attributes +he can set this attribute by other means and avoid the ldap search completely. For instance it can +be set through the users file in the authorize section: + +DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com` + + DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and authentication (e.g. you can not afford schema extention), I propose to set all necessary attributes in raddb/users file with following authorize section