jdennis at redhat.com
Fri Apr 30 13:55:36 CEST 2010
On 04/30/2010 02:50 AM, Daniel Soto wrote:
> i think that this problem is very similar to many people but i can´t
> find the solution.
> i´m trying authenticate users of windows with is own supplicant, when i
> try authenticate in local users no problem, however the problem is when
> i try it with openldap.
> i received a message.
> Auth: rlm_ldap: Attribute "User-Password" is required for authentication.
> Thu Apr 29 16:44:57 2010 : Auth: Login incorrect: [peter] (from client
> wifi port 6145 cli 00-74-05-A6-91-BD)
> i have read most about this problem but i can´t find de solution.
If your debug output (which you didn't provide) contains this line:
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
Then the likely problem is this line is missing from /etc/raddb/ldap.attrmap
checkItem Cleartext-Password userPassword
Here is what might be going on:
Many authentication protocols (i.e. mschap) require that a clear text
password be available to the radius server. Hopefully you have set the
userPassword attribute for your users in your ldap server and protected
it with an ACL. rlm_ldap will lookup the user in ldap and requests the
attributes defined in /etc/raddb/ldap.attrmap labeled "checkItem" and
then adds those attributes it found to the request. The attribute
retrieved from ldap is the 3rd item on the line, the radius attribute
which is added to the request is the 2nd item on the line. Thus what the
above does is to add Cleartext-Password as a radius check item to the
request with the value of the ldap attribute userPassword for the user.
For reasons I do not understand the above line is missing from the
default ldap.attrmap and this has tripped numerous people up.
Alan: Is there a reason why ldap.attrmap omits the clear text password
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users