2015-06-25 13:31 GMT+02:00 Jochen Demmer <jochen.demmer@peakwork.com>:
Does someone maybe have a good howto for my scenario? Freeradius 3 + OpenLDAP with MSCHAPv2 and NTLM based passwords, which are by the way stored in an attibute called sambaNTPassword.
I had such a setup before but moved to EAP-TLS and completely dropped LDAP. In fact it is not that difiicult to get it working. You just need to configure the ldap moduel correctly enable LDAP in sites-enabled/ and that's it.
I keep trying to setup Radius 3 but it keeps saying:
Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): 0 of 8 connections in use. Need more spares Thu Jun 25 13:06:19 2015 : Info: rlm_ldap (ldap): Opening additional connection (8)
That's fine. FR closes unused connections after a specified amount of time. If it then needs a connection but has none open already it prints out that message and reopens connections.
I've just configured the ldap module and also activated it. Also I have added a client so far.
A client or a user? A client is a NAS that requires a user to authenticate and forwards user access requests to the RADIUS. And a user is a user, obviously :)
Do I have to install this radius schema into my LDAP backend if I'm going with the LDAP connection?
If you just want to read username & password out of LDAP you don't need it. If you additionally want to manage clients and other stuff like RADIUS Attributes (eg. Calling-Station-Id or Tunnel-Private-Group-Id) then you have to install it. There are two schema files. One for radius itself and all attributes and one for radius clients.
I thought ideally the user is checked and additionally if he belongs to some group to have access control.
RADIUS does only authentication of users. If you want to apply more attributes, eg. VLAN you have to tell RADIUS to additionally read these attributes stored in LDAP. If these are present for a user/group it applies them. If not it doesn't. If you want more you have to script unlang.