Hi Phil,<br>
<br>
Thanks for the response.<br>
<br>
<div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> rlm_ldap: Adding userPassword as User-Password, value { & op=21<br><br>The line above looks wrong, but it never ends up being a problem because...
<br><br>> rlm_ldap: looking for reply items in directory...<br>> rlm_ldap: user joey authorized to use remote access<br>> rlm_ldap: ldap_release_conn: Release Id: 0<br><br>...during authenticate...</blockquote><div>
<br>
Sure, I don't think that FDS has the radius extensions yet although
I've created an ldif to add them if needed but in the mean time I've
just commented out:<br>
access_attr = "dialupAccess"<br>
<br>
because I want all my users to be able to use the VPN. <br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">> rlm_ldap: - authenticate<br>> rlm_ldap: login attempt by "joey" with password "xxxxxxxx"
<br>> rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net<br>> rlm_ldap: (re)connect to <a href="http://ldap.example.net:389">ldap.example.net:389</a>, authentication 1<br>> rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to
<br>> <a href="http://ldap.example.net:389">ldap.example.net:389</a><br>> rlm_ldap: waiting for bind result ...<br>> rlm_ldap: Bind was successful<br>> rlm_ldap: user joey authenticated succesfully<br><br>...auth-type == LDAP and an LDAP simple bind is done to answer the PAP
<br>request from radtest. This ONLY works with PAP because an LDAP simple<br>bind needs the plaintext password.<br><br>> Login OK: [joey/xxxxxxx] (from client el-oso port 0)<br>> Sending Access-Accept of id 116 to <a href="http://172.33.100.18:32811">
172.33.100.18:32811</a><br>><br>> So that tells me that I've got the communication to my LDAP server<br>> properly configured.<br>><br>> However when my PPTP server sends authentication requests to my radius
<br>> server, I always get "Login incorrect: [joey/<no User-Password<br>> attribute>]"<br><br>Since it's a PPTP server you are almost certainly going to be using<br>MS-CHAP, which requires either:<br>
<br> 1. The NT password hash to be in LDAP and readable by FreeRadius<br> 2. The plaintext password to be in LDAP and readable<br> 3. Samba, domain membership, winbind and the ntlm_auth plugin option<br>for the mschap module
</blockquote><div><br>
Well, I'm not using windows systems at all - I've got OSX clients and a
linux-based PPTP server. The passwords are stored as SSHA in my LDAP
directory. That finally makes sense as to why radtest works, so thanks!
My next question is, what Auth-Type should I be using for SSHA's stored
in an LDAP directory. Clearly LDAP isn't going to be it if it doesn't
support decrypting passwords and I don't wish to store passwords in
plain text in the directory.<br>
</div></div><br>