Odd issue with auth-type:ldap
Michael Holstein
michael.holstein at csuohio.edu
Thu Sep 8 21:04:56 CEST 2011
Using ..
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7
2008 at 23:35:34
^^ .. that is what Debian 5.0.6 (Lenny) had in packages.
I have LDAP enabled as an auth-type (for ipsec-tools using libradius,
since it sends cleartext password and I have AD as backend). I also
process mschapv2 (for l2tp/ipsec connections).
This works correctly *only* if I enable LDAP debugging.
{radiusd.conf}
ldap_debug = 0xFFFF
Whereby I get :
(for ISPEC)
rlm_ldap: user XXXX authorized to use remote access
ldap_msgfree
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
or
(for L2TP/PPP)
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
*HOWEVER* .. if I disable the debug directive, I get :
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Debugging what goes on in the background, the underlying complaint is
"must bind to perform.." in case #2.
The first case (from a pcap trace) does to the search as defined user
(in radiusd.conf) and then bind as the "found" DN, so it's not as if
debugging forces a valid return on all queries.
Any ideas?
Related question .. is there an easier way to pass plaintext (to Radius)
credentials into AD (and determine group membership) like auth_ntlm
does? .. I know how to call ntlm_auth with plaintext credentials and
return a success but can't seem to get freeradius to use that as an
auth-type.
TIA,
Michael Holstein
Cleveland State University
More information about the Freeradius-Users
mailing list