On 03/10/2010 06:21 AM, Eric Eric wrote:
How freeradius does chap auth using ldap server ? In pap, it binds with user's clear password to ldap server, and ldap server sends success bind if pawword is true. When using chap, how it can bind to ldap server? Does it send chap password to the ldap server? Is it needed another software with freeradius+ldap server(for example 389 DS) for doing chap authentication?
It only attempts to bind as the user if you're using LDAP for *authentication* (as opposed to authorization). You correctly point out that you can't do chap that way (so don't). If your users are in an LDAP directory what you need to do is to get the *authorization* phase of FreeRADIUS to lookup the cleartext password (or NT hash if you're using ntlm/samba) from the directory. The authorization part of rlm_ldap will then add the password or hash to the request. Then let the chap module perform the authentication using the password that was looked up during authorization. To perform the LDAP lookup rlm_ldap has to be able to bind to the server, this is done using the login and password instance attribute set in the ldap configuration file (/etc/raddb/modules/ldap). You'll also need to make sure you define the search filter etc. for performing the password lookup. Don't forget to set ACL's on the cleartext password in LDAP to prevent unauthorized retrevial of any user's password. You'll also need to the the userPassword attribute mapping in the /etc/raddb/ldap.attrmap file like this: checkItem Cleartext-Password userPassword With debug enabled if you get this message: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Then the retrieval of the cleartext password failed during *authorization* and the subsequent chap *authentication* will fail because it does not have a clear text password to utilize during the chap exchange. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/