Freeradius + LDAP auth

Alan DeKok aland at
Wed Nov 24 14:54:02 CET 2010

Old Eduardo wrote:
> no :(
> in debug only appears auth type Local

  Stop wasting your time.

  You have NOT configured the server correctly, and you have NOT
followed instructions on this list.

> see:
> Wed Nov 24 08:30:54 2010 : Debug: +- entering group authorize

  You've used "radiusd -Xx".  The FAQ, INSTALL, "man" page, and messages
daily on this list say to use "radiusd -X".  This should be easy to do.

> Wed Nov 24 08:30:54 2010 : Debug: rlm_ldap: LDAP attribute userpassword
> as RADIUS attribute Cleartext-Password ==
> "{SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl"

  This is wrong on many, many, levels.  The password is a SSHA password,
not a Cleartext-Password.  You've edited the "ldap.attrmap" file to add
the *wrong* information in it.

> Wed Nov 24 08:30:54 2010 : Debug: auth: type Local
> Wed Nov 24 08:30:54 2010 : Debug: auth: user supplied User-Password does
> NOT match local User-Password

  Given your broken configuration, this is to be expected.

> Wed Nov 24 08:30:54 2010 : Debug: auth: Failed to validate the user.
> Wed Nov 24 08:30:54 2010 : Auth: Login incorrect:
> [ipe-dp/\367ҿb5�?\327H6*c\244:\301\245] (from client localhost port 0)
> Wed Nov 24 08:30:54 2010 : Debug:   WARNING: Unprintable characters in
> the password.    Double-check the shared secret on the server and the NAS!

  You were told to fix this problem.  Read the error message.  It's not
hard to understand.

  Until you fix your system, authentication will *always* fail.

  The cause of the problem is simple and obvious.  Even worse, you've
been told how to fix it.  So far, you've refused to follow instructions.

  If you're not going to follow the instructions given on this list,
there is *no* reason to ask questions here.

  Alan DeKok.

More information about the Freeradius-Users mailing list