CentOS OpenLDAP pwdReset Attribute

Alan DeKok aland at deployingradius.com
Tue Oct 26 14:56:45 CEST 2021


On Oct 26, 2021, at 8:43 AM, Th1am1dMonozoicK4runa via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> The recommendation against using "Auth-Type = LDAP" is that it only works for clear-text passwords. If the user tries CHAP / MS-CHAP / EAP, then "Auth-Type = LDAP" simply won't work.
> 
> And there's no way around this for users that have to have both LDAP and RADIUS, correct? Even though there are articles floating around out there about setting CHAP with LDAP: https://www.wogri.com/networking/freeradius-chap/

  It works because LDAP contains the users clear-text password.  And the server doesn't do "Auth-Type = LDAP" when there's a CHAP request.

  TBH, if the password is in LDAP in clear-text, there's no point in doing "Auth-Type = LDAP".  Just use LDAP as a database.  It stores passwords, and FreeRADIUS authenticates users.  It's simpler, faster, and better.

  i.e. that article is little more than an explanation as to why the default configuration works, and why the default configuration is designed that way.  And, it adds complexity where it's not needed.

  This is why I keep saying "most third-party documentation sites are wrong".  It's not that the recommendations in article don't work, they do.  It's that it's entirely unnecessary.

  To get CHAP, MS-CHAP, PAP, etc. working with LDAP, just:

* enable and configure the LDAP module
* put clear-text passwords into the normal fields in LDAP

  That's it. There's no need to go through long third-party articles which do extra (and useless) work.

>> Note also that there's no standard for doing password changes via RADIUS.  So the only thing you'll get by setting / checking pwdReset is that users won't be able to login via RADIUS.
> 
> Overall, we're just trying to implement the most secure/best practice setup to allow the LDAP users and RADIUS users to utilize the same company driven password policy. Looked like the only way to accomplish that, was to have RADIUS use LDAP as a password database.

  Which is generally what you want to do.  RADIUS is for authentication and network access.   LDAP is for storing information about users.  You really *don't* want different databases.

  Generally you also put users into different groups into LDAP, and then use RADIUS to enforce group checks.  For example:

  if (user is trying to log into a switch console) {
	if (user is NOT network admin LDAP group) {
		reject
	}

      check passwords, etc.
	...
 }

  Alan DeKok.




More information about the Freeradius-Users mailing list