On Jun 12, 2019, at 2:07 AM, eko@flyingtongue.io wrote:
I'm attempting to use Google Secure LDAP solution for authentication and authorization. I'm not able to use this with a supplicant such as a laptop/phone, radtest is working fine which leads me to believe it's an issue of the password being hashed by mschap.
I understand from reading previous threads that I need to use EAP-TTLS-PAP or PEAP-GTC. How can I get freeradius to work with Google Secure LDAP? When freeradius does do an ldap bind which user attribute is it looking for? I think userPassword but in this case I don't think it exists.
Generally if the password attribute isn't available you attempt a bind against the LDAP server instead and use the result of that to determine if you should accept or reject the user. As the contents of the TTLS tunnel is provided when calling the inner tunnel virtual server you need to do the check there. Add the following at the top of the authorize section if (User-Password) { update control { Auth-Type := LDAP } } In the authentication section add: ldap You should now see that when you use EAP-TTLS-PAP or PEAP-GTC that the LDAP module attempts a bind against the LDAP server with the user's credentials. -Arran