supplicant winxp+freeradius+ldap

Daniel Soto daxocam at uax.es
Mon May 3 08:50:54 CEST 2010 


thanks i´ll try. 




----- Mensaje original ----- 
De: "John Dennis" <jdennis at redhat.com> 
Para: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org> 
CC: "Daniel Soto" <daxocam at uax.es> 
Enviados: Viernes, 30 de Abril 2010 13:55:36 
Asunto: Re: supplicant winxp+freeradius+ldap 

On 04/30/2010 02:50 AM, Daniel Soto wrote: 
> hi. 
> 
> i think that this problem is very similar to many people but i can´t 
> find the solution. 
> 
> i´m trying authenticate users of windows with is own supplicant, when i 
> try authenticate in local users no problem, however the problem is when 
> i try it with openldap. 
> 
> i received a message. 
> 
> Auth: rlm_ldap: Attribute "User-Password" is required for authentication. 
> Thu Apr 29 16:44:57 2010 : Auth: Login incorrect: [peter] (from client 
> wifi port 6145 cli 00-74-05-A6-91-BD) 
> 
> i have read most about this problem but i can´t find de solution. 

If your debug output (which you didn't provide) contains this line: 

WARNING: No "known good" password was found in LDAP.  Are you sure that 
the user is configured correctly? 

Then the likely problem is this line is missing from /etc/raddb/ldap.attrmap 

checkItem   Cleartext-Password      userPassword 

Here is what might be going on: 

Many authentication protocols (i.e. mschap) require that a clear text 
password be available to the radius server. Hopefully you have set the 
userPassword attribute for your users in your ldap server and protected 
it with an ACL. rlm_ldap will lookup the user in ldap and requests the 
attributes defined in /etc/raddb/ldap.attrmap labeled "checkItem" and 
then adds those attributes it found to the request. The attribute 
retrieved from ldap is the 3rd item on the line, the radius attribute 
which is added to the request is the 2nd item on the line. Thus what the 
above does is to add Cleartext-Password as a radius check item to the 
request with the value of the ldap attribute userPassword for the user. 

For reasons I do not understand the above line is missing from the 
default ldap.attrmap and this has tripped numerous people up. 

Alan: Is there a reason why ldap.attrmap omits the clear text password 
retrieval? 

-- 
John Dennis <jdennis at redhat.com> 

Looking to carve out IT costs? 
www.redhat.com/carveoutcosts/ 



-- 











Daniel Soto 



Dep. Comunicaciones U.A.X 













Daniel Soto 



Dep. Comunicaciones U.A.X 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100503/05415acf/attachment.html>

More information about the Freeradius-Users mailing list