Google LDAP integration failure
Alan DeKok
aland at deployingradius.com
Sat Feb 23 20:08:43 CET 2019
On Feb 23, 2019, at 12:58 PM, Phil Grace <phil.grace at hssd.k12.ar.us> wrote:
>
> Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject.
Are you reading the "known good" password from LDAP? Or are you seeing the User-Password to LDAP, and having it verify the password?
> I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
>
> ...
> (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
> (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
The server didn't get the "known good" password from LDAP. So it can't do the MS-CHAP calculations.
And no, you can't pass the MS-CHAP stuff to LDAP. LDAP servers are databases. They don't implement authentication protocols like MS-CHAP.
The only solution here is to have the LDAP server return the "known good" password to FreeRADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list