[Fwd: LDAP CHAP born again]

Alan DeKok aland at deployingradius.com
Tue Jul 1 09:24:37 CEST 2008


Ryan Setiawan H wrote:
>   I've research & googling  about LDAP and CHAP :D, but until now still
> don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 :

  If the LDAP server gives FreeRADIUS the clear-text password, then CHAP
 should work.

> rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
> length=48
>       User-Name = "testing"
>       CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
> ------------cut--------------.
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
> (uid=testing)
> rlm_ldap: checking if remote access for testing is allowed by dialupAccess
> rlm_ldap: Password header not found in password Testing1 for user testing

  And does CHAP work for this user?

> -----------cut---------------
> * as you can see the radius module rlm_ldap can "see" the password for
> user testing, here the next one

  Next one... what?  Next request?  Next user?

> based on the faq on
> http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F,
> 
> it is possible for using chap with ldap backend,

  Yes.  It is also likely that it's much easier on 2.0.5.

> also there is clue
> where parameter like
> password_header = "{clear}"
> password_attribute = userPassword
> password_radius_attribute = "User-Password"
> must be set.... but how?

  in the "ldap" section of radiusd.conf, where the LDAP parameters are
configured.

> i'm still trying to read the code ( like rlm_chap.c ) to see what
> attribut does rlm_chap read for the password that was passed by the
> module ldap. but it is so arcane and "debuging code twice hard as
> writing the code at first place"

  Don't read the code.  It won't help you.

> anyone has solution for this matter?

  Try installing 2.0.5 in a separate directory and configuring it.  Odds
are it will work.

  Alan DeKok.



More information about the Freeradius-Users mailing list