FR + LDAP + ADS 2003 password questions
Jacob Jarick
mem.namefix at gmail.com
Mon Apr 23 13:18:47 CEST 2007
here is a 57kb tar.gz of my /etc/raddb folder containing all configs.
http://rapidshare.com/files/27470184/20070420_ldap_working.tar.gz.html
--
Hello I have been reading everything I can get my hands on to resolve
this problem Im having. The error message related to this problem:
Attribute "User-Password" is required for authentication.
Now I have just read through "doc/rlm_ldap" again and the 4th last
paragraph made me wonder if this current method Im trying is
supported.
"
LDAP and Active Directory
-------------------------
Active directory does not return anything in the userPassword
attribute, unlike other LDAP servers. As a result, you cannot use
Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication.
You can only use PAP, and then only if you list "ldap" in the
"authenticate" section.
To do MS-CHAP against an Active Directory domain, see the comments in
radiusd.conf, about "ntlm_auth". You will need to install Samba.
"
Is it true that the only way to authenticate against active directory
is using ntlm_auth ?.
I have been specifically asked not to use the ntlm_auth method against
AD out of security cocerns from having samba installed. I cant see the
risk of having samba installed myself if no directorys are being
shared (please correct me if Im wrong).
I have enabled anonymous LDAP searches on the ADS.
On friday I added this line to ldap.attrmap:
"checkItem userPassword User-Password"
And it worked for that day, I came back after the weekend copied
configs across to my 2nd linux machine and retryed but it failed with
the old error metioned above. I tried on the test server and it now
fails as well with the same error (possibly server was reset over the
weekend or something, I dunno).
My test shows that anonymous search is definitely working
ldapsearch -h 10.1.1.11 -b 'dc=tfxschool,dc=internal' -x -LLL -s sub
'objectclass=*'
I dont have access to the machines atm (finished work for the day) but
I did notice that down the bottom of ldap.attrmap I still have these
entrys which were suggested by a thread I found on google (same error
message). Im wondering if these lines will be adversly effecting my
entry above and/or ldap authentication in general.
"
checkItem LM-Password lmPassword
checkItem NT-Password ntPassword
checkItem User-Password lmPassword
"
Thanks in advance people, I really appreciate the help I have been
getting on this mailing list.
It has been an epic struggle for me so far (learning perl + snmp +
cisco was easier) but I havent given up hope yet !
More information about the Freeradius-Users
mailing list