Unknown Auth-Type "LDAP" in authenticate sub-section

up at 3.am up at 3.am
Fri Mar 9 23:29:25 CET 2012


> On Sat, Mar 10, 2012 at 3:23 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> On Fri, Mar 09, 2012 at 10:59:46AM -0500, up at 3.am wrote:
>
>>> authenticate {
>>>
>>>        #Auth-Type LDAP {
>>>        redundant LDAP{
>>>                ldap1
>>>                ldap2
>>>
>>>        }
>
>
>> Using "ldap" in the authenticate section is a bit tricky, and you'd be wise
>> to avoid it if you can - if the LDAP server will "give" you the password
>> (plaintext or crypted) you're better of doing that in "authorize" and
>> letting FreeRADIUS perform the auth using rlm_pap or whatever.
>
> Yes.
>
> So to save lots of time and configuration problem: does your LDAP
> store user passwords in clear text or any "common" hash (e.g. md5,
> unix)? If yes, AND you know what the LDAP attribute is, you don't even
> need an LDAP section in authenticate.

Mostly crypt, but I've seen a few SSHA hashes.  I know the ldap attribute as
well.  Assuming those hashes are "common" enough, what do I need to do?

I should point out that I had been using:

DEFAULT		Auth-Type = Ldap

In the users file as well on the two older servers, despite docs that say that it
is "almost always wrong", but it was the only way we got it working.

I switched the conf files to the way Phil suggested and it complained about what I
was doing in the users file, so I just used the sample users file and it started
ok.  I've not been able to test authenticating against it yet.



More information about the Freeradius-Users mailing list