AW: Freeradius + LDAP password trouble
jdennis at redhat.com
Mon Jul 19 13:23:11 CEST 2010
On 07/19/2010 07:01 AM, John Dennis wrote:
> On 07/19/2010 06:19 AM, Lionne Stangier wrote:
>> Alan DeKok wrote:
>>> .. it is impossible to use PEAP with SHA passwords.
>> I saved the LDAP password clear-text now. It don’t work either. Same radiusd -X log as before.
> If it's the same log as before then you apparently have not fixed this
> > WARNING: No "known good" password was found in LDAP. Are you sure
> that the user is configured correctly?
> Please do what Alan suggested. Using the ldapsearch command line tool,
> bind exactly as the ldap module binds and perform the exact same ldap
> serach as in the log. What do you get back? If it's not the password you
> expect then that's your problem and it's an ldap issue.
Here are a couple of things to check which often trip folks up:
1) is the userPassword attribute defined in $RADDB/ldap.attrmap ?
By default it isn't (I've never understood why it isn't) You should have
a line in that file which looks like this:
checkItem Cleartext-Password userPassword
Also, it's a good idea to understand what the ldap.attrmap is doing.
2) There may be ACL's (access control lists) set on sensitive data like
passwords in your ldap server. Usually the default is to only return
password attributes to the owner of the data and the administrator. If
you do a search for your own password it will probably succeed because
you're the owner of that password, but when freeradius does the search
it won't succeed because it's neither the owner nor the administrator.
That's why it's important when testing with ldapsearch to bind the same
way as the ldap module binds. You may need to modify the password ACL on
your ldap server to permit freeradius access to passwords.
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users