Connecting freeRadius to openLDAP

Mackey, Theral tmackey at
Wed Jul 22 19:48:46 CEST 2009

The docs do tend to gloss over the bits about how to get the needed password into your LDAP store (besides just saying cleartext or LN/NT). First, check that the user you have setup for ldap to use has auth (not read) access to the userPassword attribute, which I think is true since you said radtest works for ldap users. That user (and really only that user (hopefully not using the superuser)) should also be able to read the LM/NT password fields ( access to attrs=sambaLMPassword,sambaNTPassword by ssf=128 dn.exact="cn=LdapProxyUser,dc=example,dc=com" read  by self write  by * none, the ssf=128 only allows if ssl/tls is used). These fields are in the samba.schema file, which you will have to go look for (usually in the samba package), and are typically labeled sambaLMPassword and sambaNTPassword, depending on which version of that schema you get. Edit the ldap.attrmap file to match the field names, should be obvious what to change in there, if needed. Add the sambaSamAccount class to your users*, and once the fields are there, use the samba password util to generate the hashes by hand (cant remember its name, smbpasswd?), use the perl Cypt::SmbHash module to build a perl-script to hash them, or look in the contrib/ dir of the openldap source for the smbk5pwd module** that will autogen and sync the hashes whenever someone changes their pw (if pw changes are set to use ldap exop). Since you are using the Atlassian openLDAP, Im guessing the module option is out, though you can probably recompile openLDAP from source with the module and just make sure their schemas are put in place and use a slapcat ldiff to repopulate, or create a separate LDAP tree and tell the atlassian stuff to auth to it instead, or use crowd... Once LM/NT passwords are good, just turn on mschapv2 and have an SSL cert ready for it with the windowsxp v3 extensions and it should "just work" after all that ;)  .


* sambaSID is a required value for this schema, if you don't already have SIDs for your users (AD assigns them in Windoze land), and no grand scheme for this to be critical, something like S001-100-$uidNumber works well
**compiling this requires either heimdal dev libs present during compile, or editing the makefile and src to disable the heimdal lib includes (and thus krb5 (kerberos) hash support). This also means, if you add the krb5 schema to ldap, you can use this module to sync your kerberos pass as well.

----- Original Message -----
Date: Wed, 22 Jul 2009 10:54:57 -0500 (CDT)
From: Eric Bourkland <eric.bourkland at>
To: tnt at,	FreeRadius users mailing list
	<freeradius-users at>
	<10598636.13761248278097270.JavaMail.root at>
Content-Type: text/plain; charset=utf-8

What would be the best solution since freeRadius currently can't get the password out of my openLDAP unless it is using PAP, it gets the password in the request via PEAP.  I would like to avoid having to tell everyone with a windows client that they need to install SecureW2.
What would be nice is if it was smart enough to recieve the request in multiple formats/protocols and then translate it into multiple formats/protocols to query out to flat file/DB/LDAP or AD instead of just passing the request along.  Although there is the risk of something getting messed up with scripts converting protocols and there are probably a million different scenarios out there.  Maybe I'm missing something since I'm still new to Radius.

Is the easiest thing to do is to monkey with the openLDAP schema and add some cleartext password attributes?  If I get this done is there some place in one of the config files that I need to update to look for a particular password attribute when Radius tries to do the authentication or does it figure it out for itself?
I have been beating my head against a wall for about a week on this and the documentation mocks me by always saying it just works.

More information about the Freeradius-Users mailing list