Hey gang, I'm still struggling getting freeradius and LDAP working to authenticate my PPTP users. I'd really appreciate if one of the guru's could have a look. I've wiped my old install and installed a fresh copy of freeradius and all the config files. Reading the list postings it's clearly best to make as few changes as posible to the config files. So, the bit's I've changed in radiusd.conf are as follows: modules { ldap { server = "ldap.mycompany.net" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "ou=people,dc=mycompany,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_attribute = userPassword I uncommented the ldap section under authenticate: authenticate { ... Auth-Type LDAP { ldap } Then, I added my client in clients.conf. In users I added: DEFAULT Auth-Type := LDAP Fall-Through = 1 Those are all the changes I've made to the default configurations. I'm now storing my password(s) in the ldap directory in plain text. Using radtest from another machine on the network authenticates from the LDAP server just fine. Authentication from my PPTP server always gives me the following: rad_recv: Access-Request packet from host x.x.x.x:32792, id=112, length=149 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "joey" MS-CHAP-Challenge = 0x0a5f7e5035f0d2306105161cdf7060c4 MS-CHAP2-Response = 0xb600a2aa1bab3836758fcf6e48643de987c900000000000000003e30dd6e4b9c0b1d9bebde2c68fbab2aa625a5246217a002 Calling-Station-Id = "165.236.229.162" NAS-Identifier = "pptp" NAS-Port = 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Login incorrect: [joey/<no User-Password attribute>] (from client vpn-external port 0 cli 165.236.229.162) Sending Access-Reject of id 112 to x.x.x.x:32792 What am I doing wrong? Thanks so much! --joey
Joey McDonald <jmcdice@gmail.com> wrote:
I'm now storing my password(s) in the ldap directory in plain text. Using radtest from another machine on the network authenticates from the LDAP server just fine.
Don't set Auth-Type.
In users I added:
DEFAULT Auth-Type := LDAP Fall-Through = 1
Delete that. You don't need it. List "ldap" in "authorize", AFTER "mschap". Alan DeKok.
Hi Alan, I've taken out the LDAP section in users - so it's exactly the same as the default users file. ldap is now listed after mschap in authorize {}. Trying again, I get the following: rlm_ldap: user joey authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 Login incorrect: [joey/<no User-Password attribute>] (from client vpn-external port 0 cli 165.236.229.162) Sending Access-Reject of id 113 to x.x.x.x:32792 MS-CHAP-Error = "pE=691 R=1" Any other sugggestions? Thanks! On 2/6/06, Alan DeKok <aland@ox.org> wrote:
Joey McDonald <jmcdice@gmail.com> wrote:
I'm now storing my password(s) in the ldap directory in plain text. Using radtest from another machine on the network authenticates from the LDAP server just fine.
Don't set Auth-Type.
In users I added:
DEFAULT Auth-Type := LDAP Fall-Through = 1
Delete that. You don't need it.
List "ldap" in "authorize", AFTER "mschap".
Alan DeKok.
joey@scare.org wrote:
I've taken out the LDAP section in users - so it's exactly the same as the default users file.
ldap is now listed after mschap in authorize {}. Trying again, I get the following:
Run the server in debugging mode, as suggested in the README, FAQ, and INSTALL. Then, read the output. All of it. The answer will be in the debug output. Alan DeKok.
Ladies and gents... We have lift off. Thanks! --joey On 2/6/06, Alan DeKok <aland@ox.org> wrote:
joey@scare.org wrote:
I've taken out the LDAP section in users - so it's exactly the same as the default users file.
ldap is now listed after mschap in authorize {}. Trying again, I get the following:
Run the server in debugging mode, as suggested in the README, FAQ, and INSTALL.
Then, read the output. All of it.
The answer will be in the debug output.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, You could authenticate users by RADIUS which was configured to authenticate users by LDAP. Now, suppose radius in accounting mode, can the accounting attributes be sent to LDAP? I mean somehow the radius (or sth else) can send the attributes to the LDAP server as I need IP frame address to be stored in LDAP. Is it possible? Regards,
participants (4)
-
Alan DeKok -
Joey McDonald -
Joey McDonald -
Mohsen A. Momeni