supplicant winxp+freeradius+ldap

Aurélien Geron aureliengeron.freeradius at wifirst.fr
Fri Apr 30 14:19:48 CEST 2010 

John Dennis wrote:

> On 04/30/2010 02:50 AM, Daniel Soto wrote:
>> hi.
>> 
>> i think that this problem is very similar to many people but i can´t
>> find the solution.
>> 
>> i´m trying authenticate users of windows with is own supplicant, when i
>> try authenticate in local users no problem, however the problem is when
>> i try it with openldap.
>> 
>> i received a message.
>> 
>> Auth: rlm_ldap: Attribute "User-Password" is required for authentication.
>> Thu Apr 29 16:44:57 2010 : Auth: Login incorrect: [peter] (from client
>> wifi port 6145 cli 00-74-05-A6-91-BD)
>> 
>> i have read most about this problem but i can´t find de solution.
> 
> If your debug output (which you didn't provide) contains this line:
> 
> WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
> 
> Then the likely problem is this line is missing from /etc/raddb/ldap.attrmap
> 
> checkItem   Cleartext-Password      userPassword
> 
> Here is what might be going on:
> 
> Many authentication protocols (i.e. mschap) require that a clear text password be available to the radius server. Hopefully you have set the userPassword attribute for your users in your ldap server and protected it with an ACL. rlm_ldap will lookup the user in ldap and requests the attributes defined in /etc/raddb/ldap.attrmap labeled "checkItem" and then adds those attributes it found to the request. The attribute retrieved from ldap is the 3rd item on the line, the radius attribute which is added to the request is the 2nd item on the line. Thus what the above does is to add Cleartext-Password as a radius check item to the request with the value of the ldap attribute userPassword for the user.
> 
> For reasons I do not understand the above line is missing from the default ldap.attrmap and this has tripped numerous people up.
> 
> Alan: Is there a reason why ldap.attrmap omits the clear text password retrieval?

I think you can safely ignore this warning, if authentication works.
For example, I have PEAP/MS-CHAP-v2 setup, and FreeRADIUS queries my LDAP server and retrieves the ntPassword LDAP attribute.  I do not use CHAP or PAP or any authentication method other than PEAP/MS-CHAP-v2, so I actually do *not* need to store the user's clear text password in the LDAP server... therefore I don't.  I think I could remove the "checkitem Cleartext-Password userPassword" line in ldap.attrmap, and everything would still run fine. So I just ignore the "No "known good" password" warning.  I haven't tried, but maybe if I set "password_attribute = ntPassword" in modules/ldap, it might remove the warning. You may want to try that ?

Aurélien Geron

More information about the Freeradius-Users mailing list