Google Secure LDAP

[Alan DeKok]

> On Jun 11, 2019, at 2:07 PM, eko at flyingtongue.io wrote:
> 
> I'm attempting to use Google Secure LDAP solution for authentication and authorization. I'm not able to use this with a supplicant such as a laptop/phone, radtest is working fine which leads me to believe it's an issue of the password being hashed by mschap.

  You can't use MS-CHAP and Google Secure LDAP.

> I understand from reading previous threads that I need to use EAP-TTLS-PAP or PEAP-GTC. How can I get freeradius to work with Google Secure LDAP? When freeradius does do an ldap bind which user attribute is it looking for? I think userPassword but in this case I don't think it exists.

https://support.google.com/a/answer/9089736?hl=en

  Click on "FreeRADIUS"

  But their instructions are wrong, because they're idiots.  I've submitted a bug report months ago to fix the documentation.  But nothing yet.

  Step (4) is reasonable.  Ignore step (5).  Instead, edit sites-enabled/default, and in the "authorize" section, add this *before* the "pap" module.


if (User-Password) {
    update control {
        Auth-Type := ldap
    }
}

  And then uncomment the ldap block later in the "authenticate" section:

#	Auth-Type LDAP {
#		ldap
#	}


  It should then work with TTLS + PAP.

  Alan DeKok.