Need help Configuring Radius and Ldap
Phil Mayers
p.mayers at imperial.ac.uk
Mon Dec 6 16:07:26 CET 2010
On 12/06/2010 02:06 PM, James Winter wrote:
>
> I think I have a problem with Ldap reading the password correctly. If
> i have read correctly, it needs a clear text password....
If you want FreeRadius to extract information from LDAP, then the LDAP
bindDN that FreeRadius uses must have the permission to read this
information (and of course, the information must exist in LDAP)
Whether you need a plaintext password depends on what authentication
protocols you want to use. See:
http://deployingradius.com/documents/protocols/compatibility.html
>
>> Secondly, the debug output you posted returns an "Access-Accept"
>> because, although the LDAP module was unable to see a userPassword
>> attribute on the LDAP entry, a later module sets the Auth-Type to
>> "ntlm_auth" and your server then obeys that.
>
> I shall comment this line out, and try it out today
See below
>
>>
>> This is all a non-standard config, so *someone* has configured the
>> server - was it you?
>
> I have been working on configuring the server for a little bit now. I
> tried following several different online manuals before I consulted
> the group.
Oh dear. A lot of the online info is out-of-date or plain wrong.
If you've made a lot of changes, and you're not sure exactly what youve
changed and why, my advice would be to start again from scratch. Restore
the default configs, and use the following system:
1. Check the config into version control
2. Make ONE and ONLY ONE change
3. Test it
4. Goto step 1
One of the new DVCSes like git/bzr/hg are ideal for this.
The *first* change you want to make is adding a user to the "users" file
username Cleartext-Password := "password"
Check that what you want to do works with that user. Then you can move
onto LDAP. Keeping a dump of the debug output at each step can be handy
too - then you can compare them.
Hope this helps.
More information about the Freeradius-Users
mailing list