Freeradius with LDAP backend for pptpd (via MS-CHAP)

Daniel Gomes dgomes at ipfn.ist.utl.pt
Fri Jul 9 16:01:11 CEST 2010 

Em 09-07-2010 13:59, Alan DeKok escreveu:
> Daniel Gomes wrote:
>    
>> Well, as I mentioned (a couple of times now), the LDAP server was indeed
>> returning a password to FreeRADIUS, since radtest was always working
>> fine.
>>      
>    No, it wasn't returning a password to FreeRADIUS.  Go *read* the debug
> output.  It will prove this.
>
>    When using PAP, the LDAP module looks for a password.  If it doesn't
> get one, it then tries to do "bind as user".  That is, it hands the
> username&&  password to the LDAP server, and asks "are these OK"?
>
>    When this happens, you're making your LDAP server do user
> authentication.  This is wrong.  LDAP is a database.  RADIUS is an
> authentication server.
>    

Ok, thanks, now I see the difference. I did read the debug output, and 
again, I understood that FreeRADIUS was having problems getting the 
userPassword, I just couldn't understand why. For a layman such as 
myself, if it worked with radtest it followed that it should work with 
MS-CHAP too. With this explanation, now I understand why it didn't.

>    
>> So the problem wasn't in the LDAP server itself, because it does
>> "return a password when an LDAP client queries it for a password" (as I
>> also mentioned it, we are currently and successfully using it to
>> authenticate other services).\
>>      
>    Using PAP passwords.
>
>    

Actually these application are probably just binding with the user's 
credentials, but that's not relevant here.

>> The problem was really related to MS-CHAP,
>> and now that I changed to PAP, it all seems to be working fine...
>>      
>    Yes.  For the reasons outlined above.
>
>    Your situation *isn't* the first time someone has had this issue.
> We're familiar with the problem&&  solution, where you are clearly not.
>
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>    

Well, it doesn't help me much if you say you know the problem and its 
solution, but then don't tell me how to fix it. And I know I'm not the 
first one to have these issues, I started from the beginning by saying 
that I read everything I could find about it on the Internet, tried to 
fix the problem many times and only then I came here, asking for help. 
Sorry for wasting your time!... And btw, your aggressive attitude 
doesn't really help anyone.

Anyway, after getting it to work with PAP, I followed nf-vale's solution 
(adding the ntPassword and lmPassword attributes to LDAP) and now it's 
also working with MS-CHAP. Thanks for the great tip!!

Cheers,

-- 
Daniel Gomes (SysAdmin)
dgomes at ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

More information about the Freeradius-Users mailing list