On Sep 5, 2016, at 9:24 AM, Bogdan Rudas via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I would like to configure LDAP authentication for WiFi users with OpenLDAP back-ends (passwords are hashed). To perform initial bind to LDAP database I use restricted account which can read directory tree, determine DN on user and most of it's attributes but can't read passwords hashes.
That's may work, if you configure it correctly.
Then I expect FreeRadius to bind with DN found on previous step and user-supplied password.
Does the rlm_ldap module documentation say it does that?
When I use admin user account (which can read password hashes) for initial bind, authentication test with *radtest *works well, but it is not what I want to do.
Why not?
I want to keep my OpenLDAP password policy working, this requires true LDAP bind attempt with credential of end-user.
My final destination is EAP-TTLS with PAP inside. Please, help me to establish desired LDAP authorization schema. As far as I know it was possible in FreeRadius 2.1.x and I believe some additional configuration required here.
You have to force Auth-Type LDAP. authorize { ... pap if (noop && User-Password) { update control { Auth-Type := LDAP } } } Do this in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel. And also add "ldap" to the "authenticate" section for both virtual servers. Alan DeKok.