Hi, i've a problem similar. But i stored my password in LDAP database in clear mode. So, i don't understand why it doesn't work too.
Passwords are not crypted !!! the error is : rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for example with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 ----- Original Message ----- From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 02, 2004 9:43 PM Subject: Re: rlm_mschap: No User-Password configured. Cannot create LM-Password > Erik Denny <[EMAIL PROTECTED]> wrote: > > I can auth PAP requests all day long, however, I get the following error > > when a CHAP term server requests auth. > > > > Thu Sep 2 13:27:40 2004 : Auth: rlm_ldap: Attribute "User-Password" is > > required for authentication. Cannot use "CHAP-Password". > > Thu Sep 2 11:35:47 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/<CHAP-Password>] > > You are setting "Auth-Type := LDAP". You are setting "Auth-Type := > LDAP", even for CHAP requests. That's the source of the problem. > > This is why the server is configured by default to set "Auth-Type := > CHAP" for CHAP requests: because no other module can do CHAP. The > LDAP module sets "Auth-Type = LDAP" only if it has not already been > set. > > So if you're getting that error for Access-Requests containing CHAP, > it's because you've over-ridden the default configuration, and told > the server to NOT use the CHAP module for CHAP requests. > > > This is the result of a test from a term server with an account that has a > > clear-text password. > > You are confusing passwords in the LDAP database with passwords in > the Access-Request. Let's look at a little matrix: > > authentication data in Access-Request > > PAP CHAP > passwords > in LDAP clear Auth-Type := LDAP Auth-Type := CHAP > > crypt Auth-Type := LDAP impossible > > > The fact that the "account has a clear-text password" is IRRELEVANT. > The Access-Request has a CHAP password, and LDAP doesn't do CHAP. End > of story. Don't force LDAP to handle CHAP requests. > > > Now, as far as I can see in the configs and code, we have not removed > > anything that would break it, AND there is no "User-Password" defined in > > the bundled schema for LDAP v3 in the doc directory. > > (RADIUS-LDAPv3.schema) There appears to be NO conversion from "uid" to > > "User-Name" anywhere that I can see, so how can this work out of the box? > > If the Access-Request contains a PAP password, then Auth-Type := > LDAP will work. > > > BTW- I don't see how you can test CHAP auth with anything other than a > > term server- radtest/radclient don't appear to support the option? > > $ cat radtest | sed 's/User-Password/CHAP-Password/' > radchaptest > $ chmod +x radchaptest > > And then use "radchaptest" to sent CHAP requests. > > > > Honestly, if PAP works for a user, then MS-CHAP works, too. Trust > > > me in this. > > The problem is that many people get confused between authorization > and authentication. LDAP is a *database*, not an authentication > server. Let LDAP store passwords, and let FreeRADIUS do > authentication. > > The whole problem starts when you configure FreeRADIUS to use LDAP > for authenticating users. Don't do that. Use LDAP to store > clear-text passwords. LDAP doesn't do CHAP, MS-CHAP, EAP, or anything > other than PAP. So if there isn't a User-Password attribute in the > Access-Request, packet, then setting "Auth-Type := LDAP" will ALWAYS > FAIL. > > i.e. Don't list "ldap" in "authenticate". Yes, you may discover > that some things break. This means you've probably got to set > "Auth-Type := Local", for PAP requests. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
