Difficulties trying bind as user to openLDAP

[Alan DeKok]

On Mar 7, 2025, at 8:14 AM, t5elrues elrues <t5elrues at gmail.com> wrote:
> Did try multiple configurations to make it work without success.
> OpenLDAP has userPassword encrypted in SSHA1 format, which makes it
> difficult to be compatible with all available authentication methods.

  PAP is the best choice.

> I was successful on setting it with EAP-TTLS-GTC and as able to
> retrieve userPassword and validate MacOS, iOS and Android devices, but
> couldn't validate Windows devices without a 3rd party software that
> highschool doesn't want to use. EAP-TTLS-PAP was not allowing iOS
> devices to validate as they always tried to use mschapv2 with that
> configuration.

  Then the iOS device has to be updated to allow EAP-TTLS-PAP.

> So now I've been trying to do bind as user against LDAP using
> EAP-TTLS-PAP but can't manage to force (Android, iOS and MacOS)
> devices to use this configuration to validate and always try to
> default to mschapv2. Windows doesn't even try to bind to LDAP.

  You have to update the supplicant to allow EAP-TTLS-PAP.

> I can see on the debug log it uses auth-type = eap and calls submodule
> eap_ttls which I guess should be correct, but then I see a EAP NAK
> that forces to use eap_mschapv2 even though I think I've commented it
> to not be used in the configuration.

  Yes, the supplicant is saying "no" to the server request, and then is sating "I want to use EAP-MSCHAPv2".  

  Nothing you do to the server will fix this.  The only solution is to allow EAP-TTLS-PAP on the supplicant.

  Alan DeKok.