AW: Freeradius + LDAP password trouble

Alan DeKok aland at
Mon Jul 19 14:25:25 CEST 2010

John Dennis wrote:
> 1) is the userPassword attribute defined in $RADDB/ldap.attrmap ?
> By default it isn't (I've never understood why it isn't)

  This goes back to 0.x.  The ldap module used to do authentication
itself, and handled passwords via C code.  In 2.1, this is deprecated.

> You should have
> a line in that file which looks like this:
> checkItem   Cleartext-Password      userPassword

  This will be in 2.2, and the old functionality will be removed.

> Also, it's a good idea to understand what the ldap.attrmap is doing.
> 2) There may be ACL's (access control lists) set on sensitive data like
> passwords in your ldap server. Usually the default is to only return
> password attributes to the owner of the data and the administrator. If
> you do a search for your own password it will probably succeed because
> you're the owner of that password, but when freeradius does the search
> it won't succeed because it's neither the owner nor the administrator.
> That's why it's important when testing with ldapsearch to bind the same
> way as the ldap module binds. You may need to modify the password ACL on
> your ldap server to permit freeradius access to passwords.

  This could be in the FAQ, or on the Wiki.

  Alan DeKok.

More information about the Freeradius-Users mailing list