Need help Configuring Radius and Ldap

Phil Mayers p.mayers at
Mon Dec 6 16:07:26 CET 2010

On 12/06/2010 02:06 PM, James Winter wrote:
> I think I have a problem with Ldap reading the password correctly. If
> i have read correctly, it needs a clear text password....

If you want FreeRadius to extract information from LDAP, then the LDAP 
bindDN that FreeRadius uses must have the permission to read this 
information (and of course, the information must exist in LDAP)

Whether you need a plaintext password depends on what authentication 
protocols you want to use. See:

>> Secondly, the debug output you posted returns an "Access-Accept"
>> because, although the LDAP module was unable to see a userPassword
>> attribute on the LDAP entry, a later module sets the Auth-Type to
>> "ntlm_auth" and your server then obeys that.
> I shall comment this line out, and try it out today

See below

>> This is all a non-standard config, so *someone* has configured the
>> server - was it you?
> I have been working on configuring the server for a little bit now. I
> tried following several different online manuals before I consulted
> the group.

Oh dear. A lot of the online info is out-of-date or plain wrong.

If you've made a lot of changes, and you're not sure exactly what youve 
changed and why, my advice would be to start again from scratch. Restore 
the default configs, and use the following system:

  1. Check the config into version control
  2. Make ONE and ONLY ONE change
  3. Test it
  4. Goto step 1

One of the new DVCSes like git/bzr/hg are ideal for this.

The *first* change you want to make is adding a user to the "users" file

username	Cleartext-Password := "password"

Check that what you want to do works with that user. Then you can move 
onto LDAP. Keeping a dump of the debug output at each step can be handy 
too - then you can compare them.

Hope this helps.

More information about the Freeradius-Users mailing list