freeradius chap auth with ldap
John Dennis
jdennis at redhat.com
Wed Mar 10 15:55:57 CET 2010
On 03/10/2010 06:21 AM, Eric Eric wrote:
> How freeradius does chap auth using ldap server ?
> In pap, it binds with user's clear password to ldap server, and ldap
> server sends success bind if pawword is true. When using chap, how it
> can bind to ldap server? Does it send chap password to the ldap server?
> Is it needed another software with freeradius+ldap server(for example
> 389 DS) for doing chap authentication?
It only attempts to bind as the user if you're using LDAP for
*authentication* (as opposed to authorization). You correctly point out
that you can't do chap that way (so don't). If your users are in an LDAP
directory what you need to do is to get the *authorization* phase of
FreeRADIUS to lookup the cleartext password (or NT hash if you're using
ntlm/samba) from the directory. The authorization part of rlm_ldap will
then add the password or hash to the request. Then let the chap module
perform the authentication using the password that was looked up during
authorization. To perform the LDAP lookup rlm_ldap has to be able to
bind to the server, this is done using the login and password instance
attribute set in the ldap configuration file (/etc/raddb/modules/ldap).
You'll also need to make sure you define the search filter etc. for
performing the password lookup. Don't forget to set ACL's on the
cleartext password in LDAP to prevent unauthorized retrevial of any
user's password. You'll also need to the the userPassword attribute
mapping in the /etc/raddb/ldap.attrmap file like this:
checkItem Cleartext-Password userPassword
With debug enabled if you get this message:
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
Then the retrieval of the cleartext password failed during
*authorization* and the subsequent chap *authentication* will fail
because it does not have a clear text password to utilize during the
chap exchange.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list