Freeradius 3.0.20 ldap integration
aland at deployingradius.com
Mon Dec 6 14:38:58 CET 2021
On Dec 6, 2021, at 5:34 AM, Adrian Schwab <schwab at bbs1-kl.de> wrote:
> so what i'm trying to configure is to set up a freeradius server to authorize and authenticate as user against a ldap server, so users provided in the ldap can access our wifi.
That works... if everything is set top to work.
> when the authorize with ldap is done (6) the auth-type isn't set properly, it should set it to ldap there doesn't it?
> When I tried to manually set auth-type to ldap to test the behaviour, debug ouptuts that User-Password is required,
Yes. Because LDAP is a database. FreeRADIUS is an authentication server. FreeRADIUS *should* read the passwords from the database, and then do the authentication.
In some cases, if there's a User-Password available, FreeRADIUS can do LDAP "bind as user" to check the password. But that's only possible if there's a User-Password attribute in the packet.
> the ldap user isn't able to read the ldap passwords duo to security reasons,
As in "it's so secure that users can't get onto WiFi".
> that's why I want to bind as the user which shouldn't have a problem with that does it?
FreeRADIUS can "bind as user" only if there's a User-Password available.
> Am I doing something wrong with the ldap module or anything else or do I have to have permission to read user passwords in ldap to get what I want?
Your choices are:
1) have FreeRADIUS read the passwords from LDAP
1a) passwords in clear text? All authentication methods will work
1b) passwords NOT in clear text? Only TTLS + PAP will work.
2) force FreeRADIUS to do LDAP "bind as user", in which case only TTLS + PAP will work.
More information about the Freeradius-Users