Freeradius and LDAP : to be continued

Christophe Gravier christophe.gravier at univ-st-etienne.fr
Wed Dec 14 17:44:11 CET 2005 

Hello,

 From the last things settled today about ldap support for freeradius on 
the list, I succeeded in configuring the ldap backend for freeradius.

At least, radtest provides me an Accept response !

Nevertheless, with the front chillispot, I can't login, freeradius tells:

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter 
(uid=gravier.christophe)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication. 
Cannot use "CHAP-Password".
  modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.


That's pretty strange since it does work with radtest (But I see a plain 
text password being sent to openldap :s).

Anyway, the problem comes from : rlm_ldap: Attribute "User-Password" is 
required for authentication. Cannot use "CHAP-Password".
But I DO have told:
password_attribute = "userPassword"
for my ldap server in /etc/freeradius/radiusd.conf

I mean, there's no configuration in chillispot expect the radius server 
IP to match users against.

What's the difference between a radtest and a authentification via 
chillispot ?

Apart from this chilli-freeradius problem (towards radtest), how can I 
make freeradius sent a hash as password ? (my userPassword is hash using 
SHA).

There is a porposal here : 
http://lists.cistron.nl/pipermail/freeradius-users/2002-October/012169.html, 
but I don't want to use CHAP since my userPassword in SHA encrypted.
I tried to comment in authorize section the chap and mschap part (I'll 
never use it). (same error).

(I must say I followed 
http://www.linuxhomenetworking.com/linux-adv/ldap.htm#_Toc92561284 howto 
for configuring ldap for freeradius).

Please, feel free to point me some directions to search.

Best regards,


Christophe.

More information about the Freeradius-Users mailing list