Hi, rather confusing. I have to admit, I have never used chillispot, but I've just visited their website and in FAQ I found "Why should I use CHAP-Challenge and CHAP-Password?" so this makes me think that Chillispot uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as authorisation, but as a password storage. Okay - great.. what now? When you look at your radiusd.conf file there is a part where you can define your LDAP server etc.. ldap ldap_users { server = "81.xxxxxxxxxx" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=People,dc=xxx,dc=xx" filter = "(&(objectClass=posixAccount)(uid=%u))" start_tls = no ...... # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 # password_header = "{clear}" password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } I hope you have that right ( this is only a part of my working config ). Next, what Alan said is to change the authorisation part. As I said - chillispot aparently wants CHAP, so in following section use CHAP authorize { # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set Chap # here you can also have ldap_users # for radtest to work ( IMHO it should be like this ) } And in authenticate { # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap ldap_users } } As it says in authenticate section - passwords in LDAP should be in clear text... Try this out. I cannot promise you that it will work, but it is the same way I have set up my POPTOP server with MS-CHAP, and it works.. I would also appreciate some guru to take a look at this and publish his opinion about this on this list ;) Kind regards, Edvin -----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Christophe Gravier Sent: Donnerstag, 15. Dezember 2005 16:41 To: FreeRadius users mailing list Subject: Re: Freeradius and LDAP : to be continued Hello Edvin, First, I received my email posted to the list several times in my mail client. I higly hope this is not the case for all you ! (if it is, thunderbird didn't like to switch from the testing wireless network back to cable and vice versa, since they're all dated to the same hour....) If you received only one mail, it is OK, just forget what I told ;-) For what I am trying to do: I have an existing LDAP directory with all users being able to connect to the wireless area. The hotspot architecture is : client <-> chillispot (login page served with apache2 + ssl) <-> freeradius <-> ldap. I just want my ldap users being able to connect to the hotspot. So, *at first*, I edited the conf file to let users be authenticate via LDAP. This way, radtest way just OK but not ChilliSpot. When I report it to the list, asking how radtest is different to chillispot login, Alan explained me: " You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the "ldap" entry from the "authenticate" section. Get radtest to work. Once that works, Chillispot will work, too." So I remove "ldap" from authentificate (I let it in authorize section thgouh). But it still doesn't solve the problem. In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set Auth-Type to LDAP. That would solve a lot of problems." I just find it dirty to hack the radius then recompile to get ldap support :-( If you're using LDAP for your users accessing the hotspot, would you please tell me how you achieve this ? Best Regards, Seferovic Edvin wrote:
Hello,
I must admit, I have been reading this thread, but I still do not understand what Christophe is trying to accomplish. As far as I understand - you have your passwords in LDAP, and you only ( kind of ) need to authorize but NOT authenticate users that are in your LDAP directory..
Please correct me...
Regards,
Edvin
-----Original Message----- From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius-users-bounces@lists.freeradius.org] On Behalf Of Christophe Gravier Sent: Donnerstag, 15. Dezember 2005 16:05 To: FreeRadius users mailing list Subject: Re: Freeradius and LDAP : to be continued
Phil Mayers wrote:
Alan DeKok wrote:
<christophe.gravier@univ-st-etienne.fr> wrote:
rlm_ldap: Adding userPassword as User-Password, value { & op=11
That's better.
modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP
Yuck.
My quick answer is to edit rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems.
Interesting. I mentioned this to another querier the other day:
http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221 . html
Argggg. You lost me.
Still not working. I can't imagine I'm unable to make freeradius uses LDAP password without hacking it :-/
What then would the authenticate section look like to use LDAP? Presumably something like:
authenticate { Auth-Type PAP { ldap } }
...but of course then you get into what happens if you want 2 different services in the same server, such as:
authenticate { Auth-Type PAP-service1 { ldap1 } Auth-Type PAP-service2 { ldap2 } Auth-Type MSCHAP-service1 { mschap1 } Auth-Type MSCHAP-service2 { mschap2 } }
...etc. - nasty. Is it possible to do:
authenticate { Huntgroup Service1 { Auth-Type PAP { ldap1 } Auth-Type MSCHAP { mschap1 } }
Huntgroup Service2 { Auth-Type PAP { ldap2 } Auth-Type MSCHAP { mschap2 } } }
...although "Realm" might make more sense than "Huntgroup" in understanding what I mean.
There's also the possibility of wanting to use fallback:
authenticate { Auth-Type PAP { ldap pap } }
...although I'm pretty sure you can do that with configurable failover and the above syntax is wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html