Based upon the number of people who have this working, either I am trying to do something entirely crazed, or I am missing something very basic! Please bear with me. 8^)
I have an existing FreeRadius implementation that I am attempting to
migrate into our LDAP directory using FR 0.5. I've configured the
radius server (mostly?) so that I am able to authenticate via LDAP if
I used the test account's userPassword LDAP attribute.
But, when I attempt to pass the radius password through, using
radtest, instead of the LDAP password (userPassword) the server
debugging shows the ldap bind failing.
The ldap configuration section of radiusd.conf looks similar to this:
ldap {
server = "localhost"
basedn = "dc=adomain,dc=com"
filter = "(uid=%u)"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# password_header, set, or not, doesn't appear to affect the results
# of this test.
#
# password_header = "{clear}"
#
# The following attribute appears to be ignored with regard to
# the attribute used to bind.
#
password_attribute = radiusPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
The debugging output looks like this:
rlm_ldap: waiting for bind result ...
modcall[authenticate]: module "ldap" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [testuser] (from nas local port 0)
Is this an LDAP configuration issue? We're running the server using
OpenLDAP. I can successfully bind using the userpassword attribute,
so the problem doesn't appear to be one of ldap server/client
compatibility issues. Although, it should be noted that the radius
daemon is running on a host with OpenLDAP v2.x while the LDAP server
is running 1.2.x.
Thanks, in advance, for any assistance that you can provide.
-rob
msg04657/pgp00000.pgp
Description: PGP signature
