freeradius chap auth with ldap

John Dennis jdennis at
Wed Mar 10 15:55:57 CET 2010

On 03/10/2010 06:21 AM, Eric Eric wrote:
> How freeradius does chap auth using ldap server ?
> In pap, it binds with user's clear password to ldap server, and ldap
> server sends success bind if pawword is true. When using chap, how it
> can bind to ldap server? Does it send chap password to the ldap server?
> Is it needed another software with freeradius+ldap server(for example
> 389 DS) for doing chap authentication?

It only attempts to bind as the user if you're using LDAP for 
*authentication* (as opposed to authorization). You correctly point out 
that you can't do chap that way (so don't). If your users are in an LDAP 
directory what you need to do is to get the *authorization* phase of 
FreeRADIUS to lookup the cleartext password (or NT hash if you're using 
ntlm/samba) from the directory. The authorization part of rlm_ldap will 
then add the password or hash to the request. Then let the chap module 
perform the authentication using the password that was looked up during 
authorization. To perform the LDAP lookup rlm_ldap has to be able to 
bind to the server, this is done using the login and password instance 
attribute set in the ldap configuration file (/etc/raddb/modules/ldap). 
You'll also need to make sure you define the search filter etc. for 
performing the password lookup. Don't forget to set ACL's on the 
cleartext password in LDAP to prevent unauthorized retrevial of any 
user's password. You'll also need to the the userPassword attribute 
mapping in the /etc/raddb/ldap.attrmap file like this:

checkItem   Cleartext-Password      userPassword

With debug enabled if you get this message:

WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly?

Then the retrieval of the cleartext password failed during 
*authorization* and the subsequent chap *authentication* will fail 
because it does not have a clear text password to utilize during the 
chap exchange.

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list