On 8/3/06, Stuckzor <lutemberg@gmail.com> wrote:
1.)I have ldap in authenticate section 2.)AUTH-TYPE set ot LDAP in users fileand 3.)MUST NOT have ldap under authorize section of radiusd.conf.
Only with this config i get access-accept with radtest (i tried all possible combinations of those 3). I get this message otherwise:
"rlm_ldap: no dialupAccess attribute - access denied by default"
And with my "working" config i get already mentioned userPassword attribute error. So, i'm afraid i don't even get so far, to have problems with password encription.
Hi, OK, I'll give it a try. 1. Going far back in this thread, you said something about using EAP-PEAP/MSCHAP. Therefore you are _required_ to have the cleartext password in LDAP or in the alternative an equivalent hash (nt/lm) if you want to use that. If so, configure your ldap instance in radius.conf accordingly AND include it in authorize{}. This was pointed out often enough one might think (and from people who really know, because they wrote the software you are trying to use). Then there will be no need for explicit setting of Auth-Type. It has been said. 2. Even if you tried something else (EAP-TTLS for example) you were already told how to proceed and how that relates to the need for cleartext passwords. Even then there is no need for setting Auth-Type manually. 3. If you insist on setting Auth-Type nevertheless, you will break other things you obviously don't know about. There is plenty of (perhaps even a bit too overwhelming) documentation on freeradius.org, in the tarball, in the example configuration, this very list, etctetc. Believe its contents. If you think their is a fault and you are wiser show that precisely (NOT by reasoning in generalities stemming from false assumptions on your side). 4. Whatever you test with radtest does not relate to EAP-PEAP/MSCHAP. Please restart your efforts with unchanged default configuration files. Alter them step-by-step according to the information you were already given. And, sorry, don't whip a dead horse, again, by setting Auth-Type. regards K. Hoercher