freeradius-3.0.1 ldap authenticate

Arran Cudbard-Bell a.cudbardb at
Wed Feb 26 11:06:32 CET 2014

On 26 Feb 2014, at 09:41, A.L.M.Buxey at wrote:

> Hi,
>>   For security, the LDAP should not return attribute userPassword to
>>   freeradius.
> if the server doesnt get a password - if using LDAP as your source, 
> then how is it supposed to authenticate the user? 

By testing the user's credentials with an LDAP bind. He hasn't indicated
he's doing anything other than PAP.

The user has always had to add Auth-Type ldap {} to the authenticate {}

If you're capable of making even the most basic of mental leaps, you 
should realise that other authentication modules are listed in
multiple places in the default server, and that, oo, look, the LDAP
module is listed in only one. and oo, it's complaining about an 
Auth-Type, oh where did I see one of those before? Oh look! lots of 
Auth-types, one for pap, one for chap, one for mschap, but i'm not doing
any of those... Shit. It's missing! I know, maybe i'll add an auth-type
for ldap too. Woohoo it works!

I agree there are some places in the server which are poorly documented
and quite obscure. But this is pretty basic stuff.

Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list