Freeradius Ldap mosule is authenticating with wrong password also
Fajar A. Nugraha
list at fajar.net
Sat Jul 23 14:29:50 CEST 2011
On Sat, Jul 23, 2011 at 1:25 PM, vijaysingh <vijay.singh at kochar.com> wrote:
> Please find below the configuration and logs :-
>
> ##################################################
> /etc/raddb/users
> ##################################################
> DEFAULT LDAP-Group == "CiscoRWL2Lr", Auth-Type := Accept
There you go. That line effectively means "if the user is member of
CiscoRWL2Lr LDAP group, then accept it". Period. No password check
whatsoever.
I'd recommend you just remove all "Auth-Type := Accept" part ...
> Reply-Message = "Welcome! You have administrative access.",
> Service-Type = NAS-Prompt-User,
> cisco-avpair = "shell:priv-lvl=15"
>
> DEFAULT LDAP-Group == "CiscoROL2Lr", Auth-Type := Accept
> Reply-Message = "Welcome! You have limited access.",
> Service-Type = NAS-Prompt-User,
> cisco-avpair = "shell:priv-lvl=1"
>
> DEFAULT Auth-Type := Reject
... and simply use that Auth-Type := Reject to reject users not in the
two LDAP groups.
But that's only half of the problem.
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP. Are you sure that the
> user is configured correctly?
the other half is that you're AD, which does not store plain text
password or hand out NT-hashes. For this part try reading active
directory guide on FR wiki or deployingradius.com
--
Fajar
More information about the Freeradius-Users
mailing list