Freeradius + OpenLDAP - user password problem

K. Hoercher wbhoer at
Thu Aug 3 17:56:35 CEST 2006

On 8/3/06, Stuckzor <lutemberg at> wrote:
> 1.)I have ldap in authenticate section
> 2.)AUTH-TYPE set ot LDAP in users fileand
> 3.)MUST NOT have ldap under authorize section of radiusd.conf.
> Only with this config i get access-accept with radtest (i tried all possible
> combinations of those 3). I get this message otherwise:
> "rlm_ldap: no dialupAccess attribute - access denied by default"
> And with my "working" config i get already mentioned userPassword attribute
> error. So, i'm afraid i don't even get so far, to have problems with
> password encription.

OK, I'll give it a try.

1. Going far back in this thread, you said something about using
EAP-PEAP/MSCHAP. Therefore you are _required_ to have the cleartext
password in LDAP or in the alternative an equivalent hash (nt/lm) if
you want to use that.
If so, configure your ldap instance in radius.conf accordingly AND
include it in authorize{}. This was pointed out often enough one might
think (and from people who really know, because they wrote the
software you are trying to use). Then there will be no need for
explicit setting of Auth-Type. It has been said.

2. Even if you tried something else (EAP-TTLS for example) you were
already told how to proceed and how that relates to the need for
cleartext passwords. Even then there is no need for setting Auth-Type

3. If you insist on setting Auth-Type nevertheless, you will break
other things you obviously don't know about. There is plenty of
(perhaps even a bit too overwhelming) documentation on,
in the tarball, in the example configuration, this very list, etctetc.
Believe its contents. If you think their is a fault and you are wiser
show that precisely (NOT by reasoning in generalities stemming from
false assumptions on your side).

4. Whatever you test with radtest does not relate to EAP-PEAP/MSCHAP.
Please restart your efforts with unchanged default configuration
files. Alter them step-by-step according to the information you were
already given. And, sorry, don't whip a dead horse, again, by setting

K. Hoercher

More information about the Freeradius-Users mailing list