[Fwd: LDAP CHAP born again]
Alan DeKok
aland at deployingradius.com
Tue Jul 1 09:24:37 CEST 2008
Ryan Setiawan H wrote:
> I've research & googling about LDAP and CHAP :D, but until now still
> don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 :
If the LDAP server gives FreeRADIUS the clear-text password, then CHAP
should work.
> rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
> length=48
> User-Name = "testing"
> CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
> ------------cut--------------.
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
> (uid=testing)
> rlm_ldap: checking if remote access for testing is allowed by dialupAccess
> rlm_ldap: Password header not found in password Testing1 for user testing
And does CHAP work for this user?
> -----------cut---------------
> * as you can see the radius module rlm_ldap can "see" the password for
> user testing, here the next one
Next one... what? Next request? Next user?
> based on the faq on
> http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F,
>
> it is possible for using chap with ldap backend,
Yes. It is also likely that it's much easier on 2.0.5.
> also there is clue
> where parameter like
> password_header = "{clear}"
> password_attribute = userPassword
> password_radius_attribute = "User-Password"
> must be set.... but how?
in the "ldap" section of radiusd.conf, where the LDAP parameters are
configured.
> i'm still trying to read the code ( like rlm_chap.c ) to see what
> attribut does rlm_chap read for the password that was passed by the
> module ldap. but it is so arcane and "debuging code twice hard as
> writing the code at first place"
Don't read the code. It won't help you.
> anyone has solution for this matter?
Try installing 2.0.5 in a separate directory and configuring it. Odds
are it will work.
Alan DeKok.
More information about the Freeradius-Users
mailing list