AW: Freeradius + LDAP password trouble

[John Dennis]

On 07/19/2010 07:01 AM, John Dennis wrote:
> On 07/19/2010 06:19 AM, Lionne Stangier wrote:
>> Alan DeKok wrote:
>>>    .. it is impossible to use PEAP with SHA passwords.
>>> http://deployingradius.com/documents/protocols/compatibility.html
>>
>> I saved the LDAP password clear-text now. It don’t work either. Same radiusd -X log as before.
>
> If it's the same log as before then you apparently have not fixed this
> problem:
>
>   >  WARNING: No "known good" password was found in LDAP.  Are you sure
> that the user is configured correctly?
>
> Please do what Alan suggested. Using the ldapsearch command line tool,
> bind exactly as the ldap module binds and perform the exact same ldap
> serach as in the log. What do you get back? If it's not the password you
> expect then that's your problem and it's an ldap issue.
>

Here are a couple of things to check which often trip folks up:

1) is the userPassword attribute defined in $RADDB/ldap.attrmap ?
By default it isn't (I've never understood why it isn't) You should have 
a line in that file which looks like this:

checkItem   Cleartext-Password      userPassword

Also, it's a good idea to understand what the ldap.attrmap is doing.

2) There may be ACL's (access control lists) set on sensitive data like 
passwords in your ldap server. Usually the default is to only return 
password attributes to the owner of the data and the administrator. If 
you do a search for your own password it will probably succeed because 
you're the owner of that password, but when freeradius does the search 
it won't succeed because it's neither the owner nor the administrator. 
That's why it's important when testing with ldapsearch to bind the same 
way as the ldap module binds. You may need to modify the password ACL on 
your ldap server to permit freeradius access to passwords.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/