May I only use rlm_ldap to authenticate against Active Directory? (without samba + winbind + ntlm_auth)

Tong Anh Quan anhquankitty at gmail.com
Mon Mar 1 10:14:09 CET 2010 

Hi all,

Can someone give me a confirmation?

Details below:
- In modules/ldap, I configures:

server = "10.128.28.3"
    identity = "cn=anonbinduser,dc=domain,dc=com"
    password = xx
    basedn = "dc=domain,dc=com"
    filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

- In site-enables/inner-tunnel, I uncommented the ldap module

- In modules/pap, I changed the auto_header option to "yes".

- In eap.conf,
+ Set the default_eap_type = mschapv2 in peap section
+ Commented the "virtual server = "inner-tunnel"" line

- Create a wpa_supplicant.conf file as follow:

network={
  scan_ssid=1
  ssid="xx"
  key_mgmt=WPA-EAP
  pairwise=TKIP
  group=TKIP
  eap=PEAP
  identity="xx"
  password="xx"
  ca_cert="/etc/radiusclient/certs/ca.pem"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

- Start radiusd in debug mode and try to connect with wpa_supplicant:
wpa_supplicant -c /etc/wpa_supplicant.conf -i wlan0 -D wext -d, I got the
following errors:

Mon Mar  1 16:08:16 2010 : Info: ++[pap] returns noop
Mon Mar  1 16:08:16 2010 : Info: Found Auth-Type = EAP
Mon Mar  1 16:08:16 2010 : Info: +- entering group authenticate {...}
Mon Mar  1 16:08:16 2010 : Info: [eap] Request found, released from the list
Mon Mar  1 16:08:16 2010 : Info: [eap] EAP/mschapv2
Mon Mar  1 16:08:16 2010 : Info: [eap] processing type mschapv2
Mon Mar  1 16:08:16 2010 : Info: [mschapv2] +- entering group MS-CHAP {...}
Mon Mar  1 16:08:16 2010 : Info: [mschap] No Cleartext-Password configured.
Cannot create LM-Password.
Mon Mar  1 16:08:16 2010 : Info: [mschap] No Cleartext-Password configured.
Cannot create NT-Password.
Mon Mar  1 16:08:16 2010 : Info: [mschap] Told to do MS-CHAPv2 for quan.ta
with NT-Password
Mon Mar  1 16:08:16 2010 : Info: [mschap] FAILED: No NT/LM-Password.  Cannot
perform authentication.
Mon Mar  1 16:08:16 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
Mon Mar  1 16:08:16 2010 : Info: ++[mschap] returns reject
Mon Mar  1 16:08:16 2010 : Info: [eap] Freeing handler
Mon Mar  1 16:08:16 2010 : Info: ++[eap] returns reject
Mon Mar  1 16:08:16 2010 : Info: Failed to authenticate the user.
Mon Mar  1 16:08:16 2010 : Auth: Login incorrect: [quan.ta/<via Auth-Type =
EAP>] (from client aironet port 0 via TLS tunnel)
} # server

>From my understanding, I cannot make freeradius authenticate with AD only
with rlm_ldap module.

PS: samba + winbind + ntlm_auth works fine.

-- 
--- Hạnh phúc là một ly Cafe và nhạc Trịnh ---
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100301/9e0860a8/attachment.html>

More information about the Freeradius-Users mailing list