Google LDAP integration failure

[Phil Grace]

Alan, thanks for the reply. 


> On Feb 23, 2019, at 1:08 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Feb 23, 2019, at 12:58 PM, Phil Grace <phil.grace at hssd.k12.ar.us> wrote:
>> 
>> Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject. 
> 
>  Are you reading the "known good" password from LDAP?  Or are you seeing the User-Password to LDAP, and having it verify the password?

I’m not sure, I just followed google’s provided setup guide for freeradius to work with their LDAP service. 

> 
>> I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
>> 
>> ...
>> (15) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
>> (15) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password
> 
>  The server didn't get the "known good" password from LDAP.  So it can't do the MS-CHAP calculations.
> 
>  And no, you can't pass the MS-CHAP stuff to LDAP.  LDAP servers are databases.  They don't implement authentication protocols like MS-CHAP.
> 
>  The only solution here is to have the LDAP server return the "known good" password to FreeRADIUS.

So would I just disable MS-CHAP or do something different with LDAP config to get the “known good”password. Would my issue probably be in the inner-tunnel file or the default file?


> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html