Hi Phil, Thanks for the response.
rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line above looks wrong, but it never ends up being a problem because...
rlm_ldap: looking for reply items in directory... rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0
...during authenticate...
Sure, I don't think that FDS has the radius extensions yet although I've created an ldif to add them if needed but in the mean time I've just commented out: access_attr = "dialupAccess" because I want all my users to be able to use the VPN.
rlm_ldap: - authenticate
rlm_ldap: login attempt by "joey" with password "xxxxxxxx" rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net rlm_ldap: (re)connect to ldap.example.net:389, authentication 1 rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to ldap.example.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user joey authenticated succesfully
...auth-type == LDAP and an LDAP simple bind is done to answer the PAP request from radtest. This ONLY works with PAP because an LDAP simple bind needs the plaintext password.
Login OK: [joey/xxxxxxx] (from client el-oso port 0) Sending Access-Accept of id 116 to 172.33.100.18:32811
So that tells me that I've got the communication to my LDAP server properly configured.
However when my PPTP server sends authentication requests to my radius server, I always get "Login incorrect: [joey/<no User-Password attribute>]"
Since it's a PPTP server you are almost certainly going to be using MS-CHAP, which requires either:
1. The NT password hash to be in LDAP and readable by FreeRadius 2. The plaintext password to be in LDAP and readable 3. Samba, domain membership, winbind and the ntlm_auth plugin option for the mschap module
Well, I'm not using windows systems at all - I've got OSX clients and a linux-based PPTP server. The passwords are stored as SSHA in my LDAP directory. That finally makes sense as to why radtest works, so thanks! My next question is, what Auth-Type should I be using for SSHA's stored in an LDAP directory. Clearly LDAP isn't going to be it if it doesn't support decrypting passwords and I don't wish to store passwords in plain text in the directory.