rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please

Alan DeKok aland at deployingradius.com
Mon Apr 23 14:33:10 CEST 2007

Jacob Jarick wrote:
> Thanks again Alan,
> For reference the oriellys LDAP book instructs you to set "Auth-Type
> := LDAP" so thats where I got the bad reference (perhaps other people
> to).

  Yes.  There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing.  It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their

> Now lets see if I understood the tables correctly.
> PAP is the only method that will support LDAP bind as user ?

  It's the other way around.  LDAP "bind as user" only works with PAP.

> When Using PAP -> LDAP will I still have to map userPassword to User-Password ?


  I've added some more code that will go into 1.1.7 && 2.0.  If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.

> Will there be extra configuration required on free radius to make use
> of pap -> ADS ldap or will it work automatically because ldap is
> configured in the modules {} section.

  I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.

> Wont using PAP mean plain text password from client -> cisco wap ->
> radius -> ADS server ?

  No.  802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.

  Alan DeKok.
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Users mailing list