Google Secure LDAP
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Jun 13 04:07:03 CEST 2019
> On Jun 12, 2019, at 10:43 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
>
>> On Jun 11, 2019, at 2:07 PM, eko at flyingtongue.io wrote:
>>
>> I'm attempting to use Google Secure LDAP solution for authentication and authorization. I'm not able to use this with a supplicant such as a laptop/phone, radtest is working fine which leads me to believe it's an issue of the password being hashed by mschap.
>
> You can't use MS-CHAP and Google Secure LDAP.
>
>> I understand from reading previous threads that I need to use EAP-TTLS-PAP or PEAP-GTC. How can I get freeradius to work with Google Secure LDAP? When freeradius does do an ldap bind which user attribute is it looking for? I think userPassword but in this case I don't think it exists.
>
> https://support.google.com/a/answer/9089736?hl=en
>
> Click on "FreeRADIUS"
>
> But their instructions are wrong, because they're idiots. I've submitted a bug report months ago to fix the documentation. But nothing yet.
>
> Step (4) is reasonable. Ignore step (5). Instead, edit sites-enabled/default, and in the "authorize" section, add this *before* the "pap" module.
Just to note, those instructions are for PAP authentication only, *NOT* EAP-TTLS-PAP or any form of EAP based authentication.
As stated in my response that should be sites-enabled/inner-tunnel. The default config routes TTLS requests via the inner-tunnel virtual server. The password won't be available in the outer tunnel virtual server.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190613/7c4df5cf/attachment.sig>
More information about the Freeradius-Users
mailing list