ldap - edirectory authentication

Alexander Clouter alex at digriz.org.uk
Sat Dec 11 12:35:53 CET 2010


Peter Lambrechtsen <plambrechtsen at gmail.com> wrote:
> 
> On Sat, Dec 11, 2010 at 3:59 AM, Gary Gatten <Ggatten at waddell.com> wrote:
> 
>>  Look in the configure script, or maybe try ./configure --help. Else the
>> config options are probably listed in one of the readme's.
> 
> Yes it's a configure switch when you compile FR.
> 
> I would assume that since it's a version distributed with SLES (I would
> assume OpenSUSE would be the same), but can check in the srpm to make sure
> it's in there. But I would be surprised if it wasn't.
> 
> The main things to be sure is your Universal Password policy assigned to
> your users allows Admin's (or a specific user) to retreieve the User's
> password, and that the service account you use to bind to eDirectory in FR
> is one of those accounts.  And that you are binding over LDAPS (SSL) on port
> 636 typlically.  Which may require you to import in the LDAP Server's CA
> Cert into the certificate keystore in the LDAP SSL Config.
> 
Am I missing something obvious but in the original post was:
----
rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password
----

We are ourselves condemned to hell to and are forced to use Novell 
but all this UP malarkey works for us just fine.

The OP obviously has already enabled universal password according to the 
debugging message, a five second look at the source code also confirms 
this:

https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_ldap/rlm_ldap.c#L1592

Of course I have no idea why the Cleartext-Password attribute is 
disappearing after passing through authorize/ldap before it gets to 
pap/chap/mschap but I cannot see the OP's config.  The problem seems not 
not to be a flag at compile time, it's a configuration problem.

Cheers

-- 
Alexander Clouter
.sigmonster says: No purchase necessary.




More information about the Freeradius-Users mailing list