AW: Freeradius + LDAP password trouble
Alan DeKok
aland at deployingradius.com
Mon Jul 19 14:25:25 CEST 2010
John Dennis wrote:
> 1) is the userPassword attribute defined in $RADDB/ldap.attrmap ?
> By default it isn't (I've never understood why it isn't)
This goes back to 0.x. The ldap module used to do authentication
itself, and handled passwords via C code. In 2.1, this is deprecated.
> You should have
> a line in that file which looks like this:
>
> checkItem Cleartext-Password userPassword
This will be in 2.2, and the old functionality will be removed.
> Also, it's a good idea to understand what the ldap.attrmap is doing.
>
> 2) There may be ACL's (access control lists) set on sensitive data like
> passwords in your ldap server. Usually the default is to only return
> password attributes to the owner of the data and the administrator. If
> you do a search for your own password it will probably succeed because
> you're the owner of that password, but when freeradius does the search
> it won't succeed because it's neither the owner nor the administrator.
> That's why it's important when testing with ldapsearch to bind the same
> way as the ldap module binds. You may need to modify the password ACL on
> your ldap server to permit freeradius access to passwords.
This could be in the FAQ, or on the Wiki.
Alan DeKok.
More information about the Freeradius-Users
mailing list