ldap authentication works on v1.1.4 but fails on 2.1.3

Alan DeKok aland at deployingradius.com
Mon Mar 16 09:22:36 CET 2009


Leese, MJ (Mark) wrote:
> In the authorize section FreeRADIUS anonymously binds to our LDAP server
> (Active Directory) and searches for the user identified in the
> Access-Request (in my case we change the default search filter to
> 'sAMAccountName' as our AD doesn't contain 'uid'). If a match is found I
> think the user's full Distinguised Name (e.g.
> CN=bill,DC=foo,DC=ac,DC=uk) is added to the list of check items, and
> Auth-Type is set to 'ldap'.

  The "known good" password is also found, and added to the control
items.  In 2.x, Auth-Type is NOT set to 'ldap' when this happens.

> In the authenticate section, FreeRADIUS
> binds to the LDAP server using the user's full DN and the password
> supplied in the Access-Request. If the bind is successful, the user is
> authenticated because the password must have been correct.

  In 2.x, the "pap" module should be listed LAST in the "authorize"
section.  If it finds a "known good" password is found in the control
items, it sets Auth-Type to PAP.

  This enables you to store passwords in LDAP in many different forms,
and to have the largest number of authentication types "just work".  It
also avoids an extra LDAP bind for authentication.  That LDAP bind just
isn't necessary.

> I've recently updated a server to FreeRADIUS 2.1.3 and all
> authentications now fail. LDAP is not set as the authentication method
> during the authorize section. I don't know why as I can't seen any
> configuration options which I've set differently between the two
> versions. I still get the debug message "Info: [ldap] user <username>
> authorized to use remote access" in the authorize section, so this
> suggests that the anonymous bind and search work ok.

  You haven't put "pap" as the last module in the "authorize" section.

  Alan DeKok.



More information about the Freeradius-Users mailing list