FR + LDAP + ADS 2003 password questions

Jacob Jarick mem.namefix at
Mon Apr 23 13:18:47 CEST 2007

here is a 57kb tar.gz of my /etc/raddb folder containing all configs.


Hello I have been reading everything I can get my hands on to resolve
this problem Im having. The error message related to this problem:
Attribute "User-Password" is required for authentication.

Now I have just read through "doc/rlm_ldap" again and the 4th last
paragraph made me wonder if this current method Im trying is

LDAP and Active Directory

Active directory does not return anything in the userPassword
attribute, unlike other LDAP servers.  As a result, you cannot use
Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication.
You can only use PAP, and then only if you list "ldap" in the
"authenticate" section.

To do MS-CHAP against an Active Directory domain, see the comments in
radiusd.conf, about "ntlm_auth".  You will need to install Samba.

Is it true that the only way to authenticate against active directory
is using ntlm_auth ?.
I have been specifically asked not to use the ntlm_auth method against
AD out of security cocerns from having samba installed. I cant see the
risk of having samba installed myself if no directorys are being
shared (please correct me if Im wrong).

I have enabled anonymous LDAP searches on the ADS.

On friday I added this line to ldap.attrmap:
"checkItem       userPassword                    User-Password"

And it worked for that day, I came back after the weekend copied
configs across to my 2nd linux machine and retryed but it failed with
the old error metioned above. I tried on the test server and it now
fails as well with the same error (possibly server was reset over the
weekend or something, I dunno).

My test shows that anonymous search is definitely working
ldapsearch -h -b 'dc=tfxschool,dc=internal' -x -LLL -s sub

I dont have access to the machines atm (finished work for the day) but
I did notice that down the bottom of ldap.attrmap I still have these
entrys which were suggested by a thread I found on google (same error
message). Im wondering if these lines will be adversly effecting my
entry above and/or ldap authentication in general.

checkItem       LM-Password                     lmPassword
checkItem       NT-Password                     ntPassword
checkItem       User-Password                   lmPassword

Thanks in advance people, I really appreciate the help I have been
getting on this mailing list.
It has been an epic struggle for me so far (learning perl + snmp +
cisco was easier) but I havent given up hope yet !

More information about the Freeradius-Users mailing list