Google LDAP integration failure

Alan DeKok aland at
Sat Feb 23 20:08:43 CET 2019

On Feb 23, 2019, at 12:58 PM, Phil Grace <phil.grace at> wrote:
> Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject. 

  Are you reading the "known good" password from LDAP?  Or are you seeing the User-Password to LDAP, and having it verify the password?

> I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
> ...
> (15) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
> (15) mschap: WARNING: No Cleartext-Password configured.  Cannot create LM-Password

  The server didn't get the "known good" password from LDAP.  So it can't do the MS-CHAP calculations.

  And no, you can't pass the MS-CHAP stuff to LDAP.  LDAP servers are databases.  They don't implement authentication protocols like MS-CHAP.

  The only solution here is to have the LDAP server return the "known good" password to FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list