From 8fc308a2c37f2ff3387bcfbf5b2f00b75419d39c Mon Sep 17 00:00:00 2001 From: kkalev Date: Sat, 3 Apr 2004 20:28:12 +0000 Subject: [PATCH] Add a few comments on the user of the Ldap-UserDN attribute --- doc/rlm_ldap | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/rlm_ldap b/doc/rlm_ldap index c6fa4d0..ccfe243 100644 --- a/doc/rlm_ldap +++ b/doc/rlm_ldap @@ -283,6 +283,19 @@ DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" +USERDN Attribute: +When rlm_ldap has found the DN corresponding to the username provided in the access-request +(all this happens in the authorize section) it will add an Ldap-UserDN attribute in the check +items list containing that DN. The attribute will be searched for in the authenticate section +and if present will be used for authentication (ldap bind with the user DN/password). Otherwise +a search will be performed to find the user dn. If the administrator wishes to use rlm_ldap only +for authentication or does not wish to populate the identity,password configuration attributes +he can set this attribute by other means and avoid the ldap search completely. For instance it can +be set through the users file in the authorize section: + +DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com` + + DIRECTORY COMPATIBILITY NOTE: If you use LDAP only for authorization and authentication (e.g. you can not afford schema extention), I propose to set all necessary attributes in raddb/users file with following authorize section -- 2.1.4