Freeradius with OpenLDAP and AD.
tnt at kalik.net
tnt at kalik.net
Tue Feb 17 15:55:15 CET 2009
>Hi, I have several problems when I would like to link freeradius with AD
>using OpenLDAP.
Look up
http://deployingradius.com/documents/configuration/active_directory.html
to see how to inegrate with AD for pap and mschap/PEAP.
>When I tried to test the binding of OpenLDAP to the AD with radtest, it
>responds Access-Accept (as you can see in the log after).
Yes.
>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as
>CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389
>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ...
>Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful
>Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated
>succesfully
Ldap "bind as user" works for pap requests. And nothing else. This is
documented in ldap module configuration file.
>But when I wanted to check with a real supplicant (under WinXP with
>MD5-Challenge Auth) I got an access-reject.
>
EAP-MD5 authentication requires clear text password:
http://deployingradius.com/documents/protocols/compatibility.html
AD is not going to provide it via ldap. You can't use AD to authenticate
with EAP-MD5. Obtaining a reversibly encrypted password from AD is
propriatory MS stuff. You need IAS for that plus to enable reversible
passwords for your users in Remote Access Policy. If this wasn't
enabled already, reversible passwords will be created next time user
changes the password (ie. all users will most likely need to enter new
passwords).
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list