> okay i'm not really into Win stuff .. ntPassword fields seem crypted since i > can't "read" them with my eyes, but i think it's just a hash or something. Isn't > it the regular way to store NT passwords ? > > anyway, here is my ldap section in radiusd.conf: > > ldap { > server = "192.168.1.6" > basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr" > filter = "(&(objectclass=posixAccount)(uid=%u))" > start_tls = no > dictionary_mapping = ${raddbdir}/ldap.attrmap > ldap_connections_number = 5 > password_attribute = ntPassword #<--- i changed this one just to try it out, > it was originally userPassword > timeout = 4 > timelimit = 3 > net_timeout = 1 > } > > > and here are my sldapd access rules: > > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write > by self write > by * auth > > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write > by self write > by * auth > > access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword > by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write > by self write > by * auth > > if i remember well (long time i've not reconfigured openldap) the write perm > also allow read ? > since i didn't configure any user in the ldap section of radiusd, isn't it > supposed to log in the ldap server with the username/passwd received by radiusd, > and grab the user password which should be possible since it has write (read ?) > perm ? > > thanks for your help > > -- > Arnauld Dravet >
No, you need to add a user to do the search for the user logging in. Since you don't allow anonymous reads, you'll need to create a user with read access. So, first change the ldap section to include something like identity = "cn=freeradius,dc=mtp,dc=epsi,dc=fr" password = password Then in slapd.conf add something like access to dn.subtree="ou=Users,dc=mtp,dc=epsi,dc=fr" by "cn=freeradius,dc=mtp,dc=epsi,dc=fr" read by self write by * auth Then add the freeradius user to ldap $ ldapadd -D "cn=root,dc=mtp,dc=epsi,dc=fr" -W dn: cn=freeradius,dc=mtp,dc=epsi,dc=fr objectclass: person cn: freeradius sn: freeradius userpassword: password objectclass: person Hope that helps Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html