The binddn configured in freeradius needs to have admin privileges to extract a password. It then binds with the userdn and extracted password. That gets an positive authentication. You also need radius specific ldap attributes the pass the authorization phase.
We used the freeradius/eDirectory integration for over a year successfully. Download instructions from the document: How to integrate freeradius and eDirectory http://www.novell.com/coolsolutions/appnote/16745.html -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Phil Mayers Sent: Tuesday, March 04, 2008 5:19 AM To: freeradius-users@lists.freeradius.org Subject: Re: 802.1x, EAP and LDAP Mike Richardson wrote: > On Tue, Mar 04, 2008 at 10:35:29AM +0000, Phil Mayers wrote: >>> rlm_ldap: ldap_release_conn: Release Id: 0 >>> modcall[authorize]: module "ldap" returns ok for request 0 >>> rlm_pap: WARNING! No "known good" password found for the user. >>> Authentication may fail because of this. >>> modcall[authorize]: module "pap" returns noop for request 0 >> The ldap module didn't find a password for the user, thus the PAP module >> couldn't authenticate the user. >> >> I don't know enough about eDirectory to help much more; I can say that a >> "normal" LDAP server might contain entries of the form: >> >> dn: cn=user,ou=.... >> cn: user >> objectClass: top >> objectClass: person >> userPassword: {CRYPT}xxxxxxxx >> >> ...or similar, and the ldap module is smart enough to figure it out. >> >> As Ivan has pointed out, I suspect this line higher up is the issue: >> >>> rlm_ldap: No default NMAS login sequence >> A quick read through the source code indicates the mysterious NMAS is >> novell universal auth / password / blah. > > How does the PAP module attempt to do the authentication? Does it do an > authenticated bind as the user or does it get the password variable and > compare it to something stored? The latter. Basically rlm_pap takes the User-Password in the request, and compares it against "the correct" password for the user. The ldap module is expected to have extracted the password from LDAP (see below). There is another mode where PAP requests can be authenticated by rlm_ldap, using simple bind against the LDAP server - that's the authenticate { Auth-Type LDAP { ldap } } ...stuff, but you should avoid doing that if at all possible. In particular it won't support PEAP/MS-CHAP, the only really useful EAP type supported by the windows XP/vista 802.1x supplicants. > > I've tried it against openldap with the same result but I've not spent much > time on the openldap config. I have to get this working with eDiretory > unfortunately... I don't know specifically what the NMAS nonsense is, but a glance at the rlm_ldap source code indicates it's a Novell-proprietary LDAP extension which the LDAP client (in this case, FreeRadius) has to call to get at the plaintext password for the user. In all probability your Novell administrators need to grant some extra permissions to the "binddn" so that it can do this - it's (obviously) a privileged operation. Moving to OpenLDAP won't help - it doesn't support NMAS at all (I assume) so you'll just be trying to run operations against the LDAP server it doesn't support, and if you need to eventually get it working against Novell it's not time well spent anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html