Unable to authenticate to 10.5.4 open directory

Thomas von Eyben thomasvoneyben at gmail.com
Sat Aug 30 09:13:09 CEST 2008

On Fri, Aug 29, 2008 at 11:57 PM, Ivan Kalik <tnt at kalik.net> wrote:
>>modcall: entering group MS-CHAP for request 6
>>  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>>  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>>  rlm_mschap: Told to do MS-CHAPv2 for testuser at bric.dk with NT-Password
>>  rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication.
> What is the password entry for this user in ldap? Is it encrypted?
> Ivan Kalik
> Kalik Informatika ISP

The password are stored in the "default OS X Server way" for a shared domain.
This is in what Apple calls Open Directory: meaning that the LDAP
stores a pointer (aka a password slot) which references the actual
password which is stored in a database seperate from the LDAP.

Details can be found on page 41 in this document:

This mechanism is what is working "out of the box".
Earlier on I made a test environment where this worked - the
difference being the test environment was a server and an access point
communicating directly. Now - the real scenario - the server is
working in what I think is called proxy mode, the authentication
requests does not originate directly from the access point, but is
"relayed" (my best description) via the Eduroam DK top level servers.

NB.: I suspect that the LDAP is not even queried, I am not yet able to
find any clues in the logfiles indicating anything else :(

- TvE

More information about the Freeradius-Users mailing list