FR + LDAP + ADS 2003 password questions

Jacob Jarick mem.namefix at gmail.com
Mon Apr 23 13:18:47 CEST 2007 

here is a 57kb tar.gz of my /etc/raddb folder containing all configs.
http://rapidshare.com/files/27470184/20070420_ldap_working.tar.gz.html

--

Hello I have been reading everything I can get my hands on to resolve
this problem Im having. The error message related to this problem:
Attribute "User-Password" is required for authentication.

Now I have just read through "doc/rlm_ldap" again and the 4th last
paragraph made me wonder if this current method Im trying is
supported.

"
LDAP and Active Directory
-------------------------

Active directory does not return anything in the userPassword
attribute, unlike other LDAP servers.  As a result, you cannot use
Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication.
You can only use PAP, and then only if you list "ldap" in the
"authenticate" section.

To do MS-CHAP against an Active Directory domain, see the comments in
radiusd.conf, about "ntlm_auth".  You will need to install Samba.
"

Is it true that the only way to authenticate against active directory
is using ntlm_auth ?.
I have been specifically asked not to use the ntlm_auth method against
AD out of security cocerns from having samba installed. I cant see the
risk of having samba installed myself if no directorys are being
shared (please correct me if Im wrong).

I have enabled anonymous LDAP searches on the ADS.

On friday I added this line to ldap.attrmap:
"checkItem       userPassword                    User-Password"

And it worked for that day, I came back after the weekend copied
configs across to my 2nd linux machine and retryed but it failed with
the old error metioned above. I tried on the test server and it now
fails as well with the same error (possibly server was reset over the
weekend or something, I dunno).

My test shows that anonymous search is definitely working
ldapsearch -h 10.1.1.11 -b 'dc=tfxschool,dc=internal' -x -LLL -s sub
'objectclass=*'

I dont have access to the machines atm (finished work for the day) but
I did notice that down the bottom of ldap.attrmap I still have these
entrys which were suggested by a thread I found on google (same error
message). Im wondering if these lines will be adversly effecting my
entry above and/or ldap authentication in general.

"
checkItem       LM-Password                     lmPassword
checkItem       NT-Password                     ntPassword
checkItem       User-Password                   lmPassword
"

Thanks in advance people, I really appreciate the help I have been
getting on this mailing list.
It has been an epic struggle for me so far (learning perl + snmp +
cisco was easier) but I havent given up hope yet !

More information about the Freeradius-Users mailing list