Google LDAP integration failure
phil.grace at hssd.k12.ar.us
Sat Feb 23 23:04:16 CET 2019
Alan, thanks for the reply.
> On Feb 23, 2019, at 1:08 PM, Alan DeKok <aland at deployingradius.com> wrote:
> On Feb 23, 2019, at 12:58 PM, Phil Grace <phil.grace at hssd.k12.ar.us> wrote:
>> Hi everyone, I’m brand new and having an issue that I haven’t found a clear answer to. I’m running free radius 3.x on ubuntu server 18.10. I have LDAP enabled to auth to google secure LDAP. So far I’m binding to google successfully and with the radtest command my LDAP user gets access-accept. If I do raddest with -t mschap I get access-reject.
> Are you reading the "known good" password from LDAP? Or are you seeing the User-Password to LDAP, and having it verify the password?
I’m not sure, I just followed google’s provided setup guide for freeradius to work with their LDAP service.
>> I’m hoping that someone more experienced can point me in the right direction as to where I can fix the issue. Here’s a snippet of my log in -X mode. Thanks in advance to anyone that can help
>> (15) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
>> (15) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
> The server didn't get the "known good" password from LDAP. So it can't do the MS-CHAP calculations.
> And no, you can't pass the MS-CHAP stuff to LDAP. LDAP servers are databases. They don't implement authentication protocols like MS-CHAP.
> The only solution here is to have the LDAP server return the "known good" password to FreeRADIUS.
So would I just disable MS-CHAP or do something different with LDAP config to get the “known good”password. Would my issue probably be in the inner-tunnel file or the default file?
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users