FDS + Freeradius = pain.

Joey McDonald jmcdice at gmail.com
Fri Feb 3 17:32:39 CET 2006


Hi Phil,

Thanks for the response.

> rlm_ldap: Adding userPassword as User-Password, value { & op=21
>
> The line above looks wrong, but it never ends up being a problem
> because...
>
> > rlm_ldap: looking for reply items in directory...
> > rlm_ldap: user joey authorized to use remote access
> > rlm_ldap: ldap_release_conn: Release Id: 0
>
> ...during authenticate...


Sure, I don't think that FDS has the radius extensions yet although I've
created an ldif to add them if needed but in the mean time I've just
commented out:
   access_attr = "dialupAccess"

because I want all my users to be able to use the VPN.

> rlm_ldap: - authenticate
> > rlm_ldap: login attempt by "joey" with password "xxxxxxxx"
> > rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net
> > rlm_ldap: (re)connect to ldap.example.net:389, authentication 1
> > rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to
> > ldap.example.net:389
> > rlm_ldap: waiting for bind result ...
> > rlm_ldap: Bind was successful
> > rlm_ldap: user joey authenticated succesfully
>
> ...auth-type == LDAP and an LDAP simple bind is done to answer the PAP
> request from radtest. This ONLY works with PAP because an LDAP simple
> bind needs the plaintext password.
>
> > Login OK: [joey/xxxxxxx] (from client el-oso port 0)
> > Sending Access-Accept of id 116 to 172.33.100.18:32811
> >
> > So that tells me that I've got the communication to my LDAP server
> > properly configured.
> >
> > However when my PPTP server sends authentication requests to my radius
> > server, I always get "Login incorrect: [joey/<no User-Password
> > attribute>]"
>
> Since it's a PPTP server you are almost certainly going to be using
> MS-CHAP, which requires either:
>
>   1. The NT password hash to be in LDAP and readable by FreeRadius
>   2. The plaintext password to be in LDAP and readable
>   3. Samba, domain membership, winbind and the ntlm_auth plugin option
> for the mschap module


Well, I'm not using windows systems at all - I've got OSX clients and a
linux-based PPTP server. The passwords are stored as SSHA in my LDAP
directory. That finally makes sense as to why radtest works, so thanks! My
next question is, what Auth-Type should I be using for SSHA's stored in an
LDAP directory. Clearly LDAP isn't going to be it if it doesn't support
decrypting passwords and I don't wish to store passwords in plain text in
the directory.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060203/9fbe7796/attachment.html>


More information about the Freeradius-Users mailing list