After the manual's config, chap wont work with LDAP

Phil Mayers p.mayers at imperial.ac.uk
Fri Dec 16 10:48:37 CET 2005


Matt Juszczak wrote:
> Hi all,
> 
> We've got our freeradius servers working with LDAP fine, except for 
> CHAP.  Originally, the logs were saying "Invalid user \\user", but we 
> fixed that by enabling an option in radiusd.conf.
> 
> Now, when we dial up without encrypted password enabled, the connection 
> comes through successfully.  However, when we enable the encrypted 
> password option and try again, we get:
> 
> Thu Dec 15 18:12:52 2005 : Auth: Login incorrect (rlm_ldap: empty 
> password supplied): [username/] (from client 123.123.123.123 port 3088 
> cli 2125550404)
> 
> Its saying the password is empty, but we are indeed using a password.
> 
> Does anyone have any ideas?  We've followed the instructions in the FAQ 
> (CHAP above LDAP in the authorize section, no := Auth-Type, etc.)..... 
> it just doesn't seem to want to recognize that a password is being entered.
> 
> For the record, no query hits the LDAP server during a CHAP 
> authentication...... so its obviously something with the config of 
> freeradius.

You've posted no debugging output or config, so it's difficult to tell, but:

To do CHAP, you must have:

  1. The PLAINTEXT password in the LDAP server
  2. The Radius server permitted to read that attribute
  3. The ldap module configured to put whatever that attribute is 
(usually userPassword) into the radius "User-Passord", using the 
"password_attribute" option of the ldap module
  4. "chap" above "pap" in the authorize (which you've got)
  5. "chap" anywhere in authenticate

> 
> Thanks for any help!
> 
> -Matt
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list