Re: Connecting freeRadius to openLDAP
I am not using AD, it is OpenLDAP that comes with Zimbra. Zimbra is an e-mail client that uses regular ole openLdap as it's authentication and attribute store. I have been able to get a lot of good information from your site but I haven't been able to find the key piece of information I need, or at least it hasn't jummped out at me yet. Right now it looks like I have a few options but I don't know if any of them are viable, get OpenLDAP to store it's password as clear text, don't really like this idea but may have to. See if there is a way to somehow get an innter tunnel to use ttls/pap to connect to the ldap server and perfrom authentication that way since it appears that PAP authentication does work. But I don't know if there can be a change in crypt for the authentication from the client which uses MSCHAPv2/PEAP and PAP. and lastly is to see if I can add NT/LM tags to my ldap server. I haven't been able to find what is the best option or how to do any of the above just yet. I thought that what I am trying to do is pretty straight forward but it doesn't seem to be that way. Client connect to Access point/router and the client has to use MSCHAPv2/PEAP and then have the Access Point connect to Radius and then to my OpenLDAP for authentication. If anyone has any other ideas I am open to suggestions. Thanks, ----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 21, 2009 4:21:57 PM GMT -05:00 US/Canada Eastern Subject: Re: Connecting freeRadius to openLDAP Eric Bourkland wrote:
below is my debug file. The interesting thing is when I am trying to do an ldap search it doesn't list the password attribute
Are you using Active Directory? If so, please understand that it is NOT an LDAP server. You will need to use Samba to do authentication against AD. See my web page (deployingradius.com) for complete instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
See if there is a way to somehow get an innter tunnel to use ttls/pap to connect to the ldap server and perfrom authentication that way since it appears that PAP authentication does work. But I don't know if there can be a change in crypt for the authentication from the client which uses MSCHAPv2/PEAP and PAP.
You can't switch from peap to eap-ttls/pap half way through. If you need eap-ttls/pap client for Windows look at SecureW2.
and lastly is to see if I can add NT/LM tags to my ldap server. I haven't been able to find what is the best option or how to do any of the above just yet.
doc/examples/openldap.schema
I thought that what I am trying to do is pretty straight forward but it doesn't seem to be that way.
It is. Just let radius server know what is the password. It has hard time authenticating users without one. Ivan Kalik Kalik Informatika ISP
What would be the best solution since freeRadius currently can't get the password out of my openLDAP unless it is using PAP, it gets the password in the request via PEAP. I would like to avoid having to tell everyone with a windows client that they need to install SecureW2. What would be nice is if it was smart enough to recieve the request in multiple formats/protocols and then translate it into multiple formats/protocols to query out to flat file/DB/LDAP or AD instead of just passing the request along. Although there is the risk of something getting messed up with scripts converting protocols and there are probably a million different scenarios out there. Maybe I'm missing something since I'm still new to Radius. Is the easiest thing to do is to monkey with the openLDAP schema and add some cleartext password attributes? If I get this done is there some place in one of the config files that I need to update to look for a particular password attribute when Radius tries to do the authentication or does it figure it out for itself? I have been beating my head against a wall for about a week on this and the documentation mocks me by always saying it just works. Thanks, ----- Original Message ----- From: "Ivan Kalik" <tnt@kalik.net> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 21, 2009 6:51:45 PM GMT -05:00 US/Canada Eastern Subject: Re: Connecting freeRadius to openLDAP
See if there is a way to somehow get an innter tunnel to use ttls/pap to connect to the ldap server and perfrom authentication that way since it appears that PAP authentication does work. But I don't know if there can be a change in crypt for the authentication from the client which uses MSCHAPv2/PEAP and PAP.
You can't switch from peap to eap-ttls/pap half way through. If you need eap-ttls/pap client for Windows look at SecureW2.
and lastly is to see if I can add NT/LM tags to my ldap server. I haven't been able to find what is the best option or how to do any of the above just yet.
doc/examples/openldap.schema
I thought that what I am trying to do is pretty straight forward but it doesn't seem to be that way.
It is. Just let radius server know what is the password. It has hard time authenticating users without one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Eric Bourkland wrote:
What would be the best solution since freeRadius currently can't get the password out of my openLDAP unless it is using PAP, it gets the password in the request via PEAP.
PEAP doesn't work that way. Blame Microsoft.
I would like to avoid having to tell everyone with a windows client that they need to install SecureW2.
Then fix your LDAP server so that it supplies the password. OpenLDAP *can* do this, and it shouldn't be too hard. See the OpenLDAP documentation for instructions.
What would be nice is if it was smart enough to recieve the request in multiple formats/protocols and then translate it into multiple formats/protocols to query out to flat file/DB/LDAP or AD instead of just passing the request along.
That is completely and totally impossible. Sorry. http://deployingradius.com/documents/protocols/compatibility.html
Although there is the risk of something getting messed up with scripts converting protocols and there are probably a million different scenarios out there. Maybe I'm missing something since I'm still new to Radius.
It's impossible. It's designed to be impossible by the people who created the various protocols. FreeRADIUS does *everything* it can to be compatible with everything, and to do what you say. But some things are just impossible.
Is the easiest thing to do is to monkey with the openLDAP schema and add some cleartext password attributes? If I get this done is there some place in one of the config files that I need to update to look for a particular password attribute when Radius tries to do the authentication or does it figure it out for itself?
The password should go into the userPassword field in LDAP. FreeRADIUS will then Just Work.
I have been beating my head against a wall for about a week on this and the documentation mocks me by always saying it just works.
It does, if you give FreeRADIUS a password that can be used for authentication. Your LDAP server isn't giving FreeRADIUS a password. There is no amount of playing with FreeRADIUS that will make the LDAP server give FreeRADIUS a password. Fix your LDAP server. ALan DeKok.
participants (3)
-
Alan DeKok -
Eric Bourkland -
Ivan Kalik