On Wed, Mar 7, 2012 at 12:32 AM, Stefano Zanmarchi <zanmarchi@gmail.com> wrote:
Hi, my aim is to to have eap-ttls/pap working using an openldap user database with MD5 hashed passwords. I got it working configuring ldap parameters in /etc/raddb/modules/ldap and applying two changes in /etc/raddb/sites-available/inner-tunnel: 1) uncommented "ldap" in the authorize section 2) uncommented these lines in the authenticate section: Auth-Type LDAP { ldap } Am I doing it right?
The documentation advised against that. Instead, you should find out which LDAP attribute stores your MD5-password, add the correct mapping to ldap.attrmap, and leave Auth-Type section commented-out. It shouldn't affect the result though, since you don't have cleartext-password stored in LDAP.
What puzzles me is the following comment in the authenticate section that seems to warn me not to do what I have done ("EAP wont'work"): # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password.
AFAIK that section refers to EAP-PEAP-MSCHAPv2, the most commonly-used EAP type. See http://wiki.freeradius.org/Protocol%20Compatibility regardless whether you use Auth-Type or not, you still will only be able to use PAP, TTLS-PAP, or EAP-GTC as those are the ones that provide user password in clear text. -- Fajar