Connecting freeRadius to openLDAP

Eric Bourkland eric.bourkland at trustedconcepts.com
Wed Jul 22 17:54:57 CEST 2009


What would be the best solution since freeRadius currently can't get the password out of my openLDAP unless it is using PAP, it gets the password in the request via PEAP.  I would like to avoid having to tell everyone with a windows client that they need to install SecureW2.
What would be nice is if it was smart enough to recieve the request in multiple formats/protocols and then translate it into multiple formats/protocols to query out to flat file/DB/LDAP or AD instead of just passing the request along.  Although there is the risk of something getting messed up with scripts converting protocols and there are probably a million different scenarios out there.  Maybe I'm missing something since I'm still new to Radius.

Is the easiest thing to do is to monkey with the openLDAP schema and add some cleartext password attributes?  If I get this done is there some place in one of the config files that I need to update to look for a particular password attribute when Radius tries to do the authentication or does it figure it out for itself?
I have been beating my head against a wall for about a week on this and the documentation mocks me by always saying it just works.

Thanks,


----- Original Message -----
From: "Ivan Kalik" <tnt at kalik.net>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, July 21, 2009 6:51:45 PM GMT -05:00 US/Canada Eastern
Subject: Re: Connecting freeRadius to openLDAP

> See if there is a way to somehow get an innter tunnel to use ttls/pap to
> connect to the ldap server and perfrom authentication that way since it
> appears that PAP authentication does work.  But I don't know if there can
> be a change in crypt for the authentication from the client which uses
> MSCHAPv2/PEAP and PAP.

You can't switch from peap to eap-ttls/pap half way through. If you need
eap-ttls/pap client for Windows look at SecureW2.

> and lastly is to see if I can add NT/LM tags to my ldap server.  I haven't
> been able to find what is the best option or how to do any of the above
> just yet.

doc/examples/openldap.schema

> I thought that what I am trying to do is pretty straight forward but it
> doesn't seem to be that way.

It is. Just let radius server know what is the password. It has hard time
authenticating users without one.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list