Getting Freeradius working with LLDAP

Alan DeKok aland at deployingradius.com
Wed May 17 11:20:27 UTC 2023 

On May 17, 2023, at 7:03 AM, Matthew Macdonald-Wallace <matt at doics.co> wrote:
> I'm new to Freeradius but want to get it working for our local
> hack/makerspace to ensure we can provide decent QoS on the WiFi for our
> members.
> 
> My LDAP server is https://github.com/lldap/lldap and that *does not*
> expose a "plain text password" field.

  Then you need to set "Auth-Type = LDAP".  See the comments in sites-available/default.

> I am running Freeradius via docker and I've uploaded my config at
> https://gist.github.com/proffalken/a6213dc7266a6a9800432b3c0e1b264d
> (passwords and domains have been changed to protect the innocent!)

  http://wiki.freeradius.org/list-help

  All of the documentation says we need the debug output.  The configuration is not helpful.

> As you can see from the log below, the LDAP lookup works, however the
> authentication request is rejected because the "Auth-Type" is not found.

  Yes.

  If LDAP gives FreeRADIUS a "known good" password (clear-text, salted/hashed, etc.) then FreeRADIUS can figure out how to authenticate the user.

  If LDAP does not give FreeRADUS a password, then FreeRADIUS has no idea how to authenticate the user.  You MUST tell it how to authenticate the user.

> I'm sure this is an obvious fix, but I've not been able to find an
> answer in my searching!

  See sites-available/default.  Look for "ldap".  This is documented.  

> I'm using the following command to test: 
> 
> radtest mmw pass1234 10.x.x.5 0 testing123
> 
> and this is the log:

  Please post *just* the output from FreeRADIUS, without extra things added.

> -=-=-=-=-=-=-=-=-=-=
> freeradius_1  | rlm_ldap (ldap): Reserved connection (0)
> freeradius_1  | (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-
> Name}})
> freeradius_1  | (0) ldap:    --> (uid=mmw)

  All of those prefixes are noise, and are unhelpful.

  So read sites-available/ldap.  Look for "ldap".  There is documentation on how (and why) to set Auth-Type LDAP.

  This causes FreeRADIUS to bind to LDAP using the supplied username and password.  The LDAP server can then return pass / fail to FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list