On Mon, Sep 5, 2016 at 4:31 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 5, 2016, at 9:24 AM, Bogdan Rudas via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
I would like to configure LDAP authentication for WiFi users with OpenLDAP back-ends (passwords are hashed). To perform initial bind to LDAP database I use restricted account which can read directory tree, determine DN on user and most of it's attributes but can't read passwords hashes.
That's may work, if you configure it correctly.
Then I expect FreeRadius to bind with DN found on previous step and user-supplied password.
Does the rlm_ldap module documentation say it does that?
When I use admin user account (which can read password hashes) for initial bind, authentication test with *radtest *works well, but it is not what I want to do.
Why not?
I want to keep my OpenLDAP password policy working, this requires true LDAP bind attempt with credential of end-user.
My final destination is EAP-TTLS with PAP inside. Please, help me to establish desired LDAP authorization schema. As far as I know it was possible in FreeRadius 2.1.x and I believe some additional configuration required here.
You have to force Auth-Type LDAP.
authorize { ... pap if (noop && User-Password) { update control { Auth-Type := LDAP } } }
Do this in raddb/sites-enabled/default, and raddb/sites-enabled/inner-tunnel. And also add "ldap" to the "authenticate" section for both virtual servers.
Thank you, this helps. I had to enable in both 'servers' * Auth-Type LDAP { ldap }* Otherwise, server complains on "Unknown or invalid value "LDAP" for attribute Auth-Type" -- Bogdan Rudas Head of Minsk IT Support Department Exadel Inc. http://www.exadel.com/ E-mail: brudas@exadel.com Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.