Freeradius and LDAP : to be continued

Thu Dec 15 16:40:36 CET 2005

Hello Edvin,

First, I received my email posted to the list several times in my mail 
client.
I higly hope this is not the case for all you ! (if it is, thunderbird 
didn't like to switch from the testing wireless network back to cable 
and vice versa, since they're all dated to the same hour....)
If you received only one mail, it is OK, just forget what I told ;-)

For what I am trying to do:
I have an existing LDAP directory with all users being able to connect 
to the wireless area.

The hotspot architecture is :

client <-> chillispot (login page served with apache2 + ssl) <-> 
freeradius <-> ldap.

I just want my ldap users being able to connect to the hotspot.

So, *at first*, I edited the conf file to let users be authenticate via 
LDAP.

This way, radtest way just OK but not ChilliSpot. When I report it to 
the list, asking how radtest is different to chillispot login, Alan 
explained me:
" You're using LDAP as an authentication server. Don't do that. Use LDAP 
to store passwords.
 i.e. remove the "ldap" entry from the "authenticate" section. Get 
radtest to work. Once that works, Chillispot will work, too."

So I remove "ldap" from authentificate (I let it in authorize section 
thgouh).

But it still doesn't solve the problem.

In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set 
Auth-Type to LDAP. That would solve a lot of problems."

I just find it dirty to hack the radius then recompile to get ldap 
support :-(

If you're using LDAP for your users accessing the hotspot, would you 
please tell me how you achieve this ?

Best Regards,

Seferovic Edvin wrote:

>Hello,
>
>I must admit, I have been reading this thread, but I still do not understand
>what Christophe is trying to accomplish. As far as I understand - you have
>your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
>authenticate users that are in your LDAP directory.. 
>
>Please correct me...
>
>Regards,
>
>Edvin
>
>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
>Christophe Gravier
>Sent: Donnerstag, 15. Dezember 2005 16:05
>To: FreeRadius users mailing list
>Subject: Re: Freeradius and LDAP : to be continued
>
>Phil Mayers wrote:
>
>  
>
>>Alan DeKok wrote:
>>
>>    
>>
>>><christophe.gravier at univ-st-etienne.fr> wrote:
>>>
>>>      
>>>
>>>>rlm_ldap: Adding userPassword as User-Password, value { & op=11
>>>>        
>>>>
>>>  That's better.
>>>
>>>      
>>>
>>>>modcall: group authorize returns ok for request 0
>>>>  rad_check_password:  Found Auth-Type LDAP
>>>>        
>>>>
>>>  Yuck.
>>>
>>>  My quick answer is to edit rlm_ldap.c to have it *never* set
>>>Auth-Type to LDAP.  That would solve a lot of problems.
>>>      
>>>
>>Interesting. I mentioned this to another querier the other day:
>>
>>
>>    
>>
>http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.
>html 
>  
>
>
>
>Argggg. You lost me.
>
>Still not working.
>I can't imagine I'm unable to make freeradius uses LDAP password without 
>hacking it :-/
>
>  
>
>>What then would the authenticate section look like to use LDAP? 
>>Presumably something like:
>>
>>authenticate {
>>  Auth-Type PAP {
>>    ldap
>>  }
>>}
>>
>>...but of course then you get into what happens if you want 2 
>>different services in the same server, such as:
>>
>>authenticate {
>>  Auth-Type PAP-service1 {
>>    ldap1
>>  }
>>  Auth-Type PAP-service2 {
>>    ldap2
>>  }
>>  Auth-Type MSCHAP-service1 {
>>    mschap1
>>  }
>>  Auth-Type MSCHAP-service2 {
>>    mschap2
>>  }
>>}
>>
>>...etc. - nasty. Is it possible to do:
>>
>>authenticate {
>>  Huntgroup Service1 {
>>    Auth-Type PAP {
>>      ldap1
>>    }
>>    Auth-Type MSCHAP {
>>      mschap1
>>    }
>>  }
>>
>>  Huntgroup Service2 {
>>    Auth-Type PAP {
>>      ldap2
>>    }
>>    Auth-Type MSCHAP {
>>      mschap2
>>    }
>>  }
>>}
>>
>>...although "Realm" might make more sense than "Huntgroup" in 
>>understanding what I mean.
>>
>>There's also the possibility of wanting to use fallback:
>>
>>authenticate {
>>  Auth-Type PAP {
>>    ldap
>>    pap
>>  }
>>}
>>
>>...although I'm pretty sure you can do that with configurable failover 
>>and the above syntax is wrong.
>>- List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
>>
>>    
>>
>
>
>  
>

-- 
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html