CHAP and LDAP

Andrew Browning drew826 at gmail.com
Mon Oct 3 03:58:17 CEST 2005


are you sure that you have passwords in ldap in cleartext format?

> Mon Oct  3 02:16:05 2005 : Debug: rlm_ldap: checking if remote access for
> dmitry is allowed by dialupAccess
> Mon Oct  3 02:16:05 2005 : Debug: rlm_ldap: Password header not found in
> password qazxsw for user dmitry
> Mon Oct  3 02:16:05 2005 : Debug: rlm_ldap: looking for check items in
> directory...
> Mon Oct  3 02:16:05 2005 : Debug: rlm_ldap: looking for reply items in
> directory...
> Mon Oct  3 02:16:05 2005 : Debug: rlm_ldap: user dmitry authorized to use
> remote access
> Mon Oct  3 02:16:05 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
> Mon Oct  3 02:16:05 2005 : Debug:   modsingle[authorize]: returned from ldap
> (rlm_ldap) for request 3
> Mon Oct  3 02:16:05 2005 : Debug:   modcall[authorize]: module "ldap"
> returns ok for request 3
> Mon Oct  3 02:16:05 2005 : Debug: modcall: group authorize returns ok for
> request 3

so the user dmitry is found in the ldap, and authorize succeeds.

> Mon Oct  3 02:16:05 2005 : Debug:   rad_check_password:  Found Auth-Type
> CHAP
> Mon Oct  3 02:16:05 2005 : Debug: auth: type "CHAP"
> Mon Oct  3 02:16:05 2005 : Debug:   Processing the authenticate section of
> radiusd.conf
> Mon Oct  3 02:16:05 2005 : Debug: modcall: entering group Auth-Type for
> request 3
> Mon Oct  3 02:16:05 2005 : Debug:   modsingle[authenticate]: calling chap
> (rlm_chap) for request 3
> Mon Oct  3 02:16:05 2005 : Debug:   rlm_chap: login attempt by "dmitry" with
> CHAP password
> Mon Oct  3 02:16:05 2005 : Debug:   rlm_chap: Could not find clear text
> password for user dmitry

here radius complains that it can't find a cleartext password for the
user dmitry. check your ldap configs again to see that passwords are
in cleartext. if you're using openldap, you have to set the
password-hash to {CLEARTEXT}, and that actually doesn't work in
current stable versions of openldap. if you don't have any value set,
then I think it uses SHA by default but I'm not sure on that one.
if you're using some other type of ldap server, read the appropriate
docs and check over your config files once again.
because PAP authentication does work, that also leads me to believe
that the problem is not with freeradius, but with the passwords in
ldap.




More information about the Freeradius-Users mailing list