Re: FreeRadius/LDAP conf : little problem

Fri, 18 Jun 2004 13:51:45 -0700 

> okay i'm not really into Win stuff .. ntPassword fields seem crypted since i
> can't "read" them with my eyes, but i think it's just a hash or something. Isn't
> it the regular way to store NT passwords ?
>
> anyway, here is my ldap section in radiusd.conf:
>
> ldap {
>   server = "192.168.1.6"
>   basedn = "ou=Users,dc=mtp,dc=epsi,dc=fr"
>   filter = "(&(objectclass=posixAccount)(uid=%u))"
>   start_tls = no
>   dictionary_mapping = ${raddbdir}/ldap.attrmap
>   ldap_connections_number = 5
>   password_attribute = ntPassword  #<--- i changed this one just to try it out,
> it was originally userPassword
>   timeout = 4
>   timelimit = 3
>   net_timeout = 1
> }
>
>
> and here are my sldapd access rules:
>
> access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=userPassword
>         by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
>         by self write
>         by * auth
>
> access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=ntPassword
>         by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
>         by self write
>         by * auth
>
> access to dn=".*,dc=mtp,dc=epsi,dc=fr" attr=lmPassword
>         by dn="cn=root,dc=mtp,dc=epsi,dc=fr" write
>         by self write
>         by * auth
>
> if i remember well (long time i've not reconfigured openldap) the write perm
> also allow read ?
> since i didn't configure any user in the ldap section of radiusd, isn't it
> supposed to log in the ldap server with the username/passwd received by radiusd,
> and grab the user password which should be possible since it has write (read ?)
> perm ?
>
> thanks for your help
>
> --
> Arnauld Dravet
>

No, you need to add a user to do the search for the user logging in.
Since you don't allow anonymous reads, you'll need to create a user with
read access.

So, first change the ldap section to include something like
identity = "cn=freeradius,dc=mtp,dc=epsi,dc=fr"
password = password

Then in slapd.conf add something like

access to dn.subtree="ou=Users,dc=mtp,dc=epsi,dc=fr"
  by "cn=freeradius,dc=mtp,dc=epsi,dc=fr" read
  by self write
  by * auth


Then add the freeradius user to ldap

$ ldapadd -D "cn=root,dc=mtp,dc=epsi,dc=fr" -W
dn: cn=freeradius,dc=mtp,dc=epsi,dc=fr
objectclass: person
cn: freeradius
sn: freeradius
userpassword: password
objectclass: person

Hope that helps

Dusty Doris



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to