Hello Alan and Ivan My intent is not to pester you with my queries but the problem is still what it was initially. Ill once again tell you the configuration that I am using. ------------------------radiusd.conf----------------------------------- /* Most of the stuff is untouched. */ /* Added authenticate{} and authorize{} section */ authenticate { ldap1 ldap2 } authorize{ ldap1 ldap2 } -----------------module/ldap------------------------------ ldap ldap1{ # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "...." identity = "....." password = ..... basedn = "ou=People,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 password_header="{crypt}" password_attribute=userPassword password_radius_attribute=Crypt-Password ..... } ldap ldap1{ # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "...." identity = "....." password = ..... basedn = "ou=People,dc=example,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 password_header="{crypt}" password_attribute=userPassword password_radius_attribute=Crypt-Password ..... } 'users' and 'client' file is unchanged. I run the server with the following command line options. 'radiusd -X' To test I run the radtest tool with the following option. radtest catch "catchall" localhost 2 testing123 Here catch and catchall are user and password in the LDAP database created from a unix account on the host hosting the LDAP database. The migration from the regular unix /etc/passwd to the LDIF file was done using the migration tools. The reply received was rad_recv: Access-Reject. The following was the debug output from the server. rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=catch) rlm_ldap: Added User-Password = $1$FYblmPWy$fmgebhCOLpHvhdECNP4EG0 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user catch authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap2] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> catch attr_filter: Matched entry DEFAULT at line 11 Please point me out what may have possibly gone wrong. Another observation : 1. When I try to test using the username 'try' stored in the other ldap database, it doesn't search in the other LDAP server but only searches in the one which doesn't have it and fails. 2. The problem in (1) doesn't occur when I comment out the 'password_attribute' line in the modules/ldap file. It then searches the appropriate LDAP database , however fails with the following output. rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials Please advice. Thanks Sambuddho On Sun, 2008-07-06 at 08:06 +0200, Alan DeKok wrote:
Sambuddho Chakravarty wrote:
Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords.
No. That is not what he said.
So the freeradius client needs to send the password in encrypted format.
No. That is not what he said.
But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password.
We know. We've been doing this for years.
Is there a solution to this ?
Do what Ivan said.
Maybe I am mistaken somewhere.
Lots.
Please let me know.
We're trying to help you. It's not working.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html