Connecting freeRadius to openLDAP

Alan DeKok aland at deployingradius.com
Wed Jul 22 19:18:50 CEST 2009 

Eric Bourkland wrote:
> What would be the best solution since freeRadius currently can't get the password out of my openLDAP unless it is using PAP, it gets the password in the request via PEAP.

  PEAP doesn't work that way.  Blame Microsoft.

>  I would like to avoid having to tell everyone with a windows client that they need to install SecureW2.

  Then fix your LDAP server so that it supplies the password.  OpenLDAP
*can* do this, and it shouldn't be too hard.  See the OpenLDAP
documentation for instructions.

> What would be nice is if it was smart enough to recieve the request in multiple formats/protocols and then translate it into multiple formats/protocols to query out to flat file/DB/LDAP or AD instead of just passing the request along.

  That is completely and totally impossible.  Sorry.

http://deployingradius.com/documents/protocols/compatibility.html

>  Although there is the risk of something getting messed up with scripts converting protocols and there are probably a million different scenarios out there.  Maybe I'm missing something since I'm still new to Radius.

  It's impossible.  It's designed to be impossible by the people who
created the various protocols.

  FreeRADIUS does *everything* it can to be compatible with everything,
and to do what you say.  But some things are just impossible.

> Is the easiest thing to do is to monkey with the openLDAP schema and add some cleartext password attributes?  If I get this done is there some place in one of the config files that I need to update to look for a particular password attribute when Radius tries to do the authentication or does it figure it out for itself?

  The password should go into the userPassword field in LDAP.
FreeRADIUS will then Just Work.

> I have been beating my head against a wall for about a week on this and the documentation mocks me by always saying it just works.

  It does, if you give FreeRADIUS a password that can be used for
authentication.

  Your LDAP server isn't giving FreeRADIUS a password.  There is no
amount of playing with FreeRADIUS that will make the LDAP server give
FreeRADIUS a password.

  Fix your LDAP server.

  ALan DeKok.

More information about the Freeradius-Users mailing list