Freeradius with LDAP backend for pptpd (via MS-CHAP)
Alan DeKok
aland at deployingradius.com
Fri Jul 9 14:59:37 CEST 2010
Daniel Gomes wrote:
> Well, as I mentioned (a couple of times now), the LDAP server was indeed
> returning a password to FreeRADIUS, since radtest was always working
> fine.
No, it wasn't returning a password to FreeRADIUS. Go *read* the debug
output. It will prove this.
When using PAP, the LDAP module looks for a password. If it doesn't
get one, it then tries to do "bind as user". That is, it hands the
username && password to the LDAP server, and asks "are these OK"?
When this happens, you're making your LDAP server do user
authentication. This is wrong. LDAP is a database. RADIUS is an
authentication server.
> So the problem wasn't in the LDAP server itself, because it does
> "return a password when an LDAP client queries it for a password" (as I
> also mentioned it, we are currently and successfully using it to
> authenticate other services).\
Using PAP passwords.
> The problem was really related to MS-CHAP,
> and now that I changed to PAP, it all seems to be working fine...
Yes. For the reasons outlined above.
Your situation *isn't* the first time someone has had this issue.
We're familiar with the problem && solution, where you are clearly not.
Alan DeKok.
More information about the Freeradius-Users
mailing list