Adam KOSA <[EMAIL PROTECTED]> wrote: > After studying the tcpdump log between my freeradius and ldap server i > realized that freeradius is requesting the password from ldap to > authenticate the user. (Turned off SSL to be able to sniff.)
Yes. LDAP stores passwords, and FreeRADIUS uses passwords to authenticate Access-Request packets. > However my ldap does not have the password, instead it acts as a proxy, > it needs the password (in case from the radius server) Uh, no. > and makes the kerberos KDC to compare them. So... why not configure FreeRADIUS to do the kerberos authentication itself? The server comes with a kerberos module. > Is it possible to make freeradius to _give_ password to the ldap server, > instead of requesting it? If you set Auth-Type = LDAP, then Access-Request packets containing User-Password attributes will bind to the LDAP database, and authenticate that way. How your LDAP server uses that password is up to it. But be warned that NOTHING other than PAP will work. CHAP, MS-CHAP, etc. will all fail. > I believe that my radius has no business making decisions over one's > password. Then why are you running RADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
