ldap - edirectory authentication
Robert Koskey
rkoskey at rockyview.ab.ca
Mon Dec 13 15:17:15 CET 2010
Thanks for everyone's help on this. We got it to work, now using eap-peap. We truly believe it was using mschapv2 before, but cannot prove that to ourselves. Everytime something changes we learn much more than we knew before, so I guess that's a good thing.
thanks again.
robert
Robert Koskey,
Systems and Network Manager
Rocky View Schools
Telephone: 403-945-4080
Cell: 403-988-4640
>>> Alexander Clouter <alex at digriz.org.uk> 12/11/2010 4:35 AM >>>
Peter Lambrechtsen <plambrechtsen at gmail.com> wrote:
>
> On Sat, Dec 11, 2010 at 3:59 AM, Gary Gatten <Ggatten at waddell.com> wrote:
>
>> Look in the configure script, or maybe try ./configure --help. Else the
>> config options are probably listed in one of the readme's.
>
> Yes it's a configure switch when you compile FR.
>
> I would assume that since it's a version distributed with SLES (I would
> assume OpenSUSE would be the same), but can check in the srpm to make sure
> it's in there. But I would be surprised if it wasn't.
>
> The main things to be sure is your Universal Password policy assigned to
> your users allows Admin's (or a specific user) to retreieve the User's
> password, and that the service account you use to bind to eDirectory in FR
> is one of those accounts. And that you are binding over LDAPS (SSL) on port
> 636 typlically. Which may require you to import in the LDAP Server's CA
> Cert into the certificate keystore in the LDAP SSL Config.
>
Am I missing something obvious but in the original post was:
----
rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password
----
We are ourselves condemned to hell to and are forced to use Novell
but all this UP malarkey works for us just fine.
The OP obviously has already enabled universal password according to the
debugging message, a five second look at the source code also confirms
this:
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_ldap/rlm_ldap.c#L1592
Of course I have no idea why the Cleartext-Password attribute is
disappearing after passing through authorize/ldap before it gets to
pap/chap/mschap but I cannot see the OP's config. The problem seems not
not to be a flag at compile time, it's a configuration problem.
Cheers
--
Alexander Clouter
.sigmonster says: No purchase necessary.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_____________________________________________________________________________________
This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101213/a0a595ac/attachment.html>
More information about the Freeradius-Users
mailing list