On Nov 14 Tim Gustafson wrote:
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
The easiest way to install the latest FreeRADIUS on CentOS I know of is to
visit <http://koji.fedoraproject.org/koji/packageinfo?packageID=298>, find
the latest source RPM and rebuild it. It's a small amount of work, but
will stop people saying "upgrade" a lot..
I'm trying to figure out how to configure FreeRADIUS to authenticate
against an OpenLDAP server using MSCHAPv2. I Googled a lot of different
phrases, and came up with some things that were mildly helpful. Right
now, I have FreeRADIUS authenticating against the LDAP server without
using MSCHAPv2, but I'm not understanding how to now activate the
MSCHAPv2 part.
I have it working. You need to check your ldap.attrmap (or whatever you've
set dictionary_mapping to) points at the right LDAP field. I use the
samba schema, so:
checkItem NT-Password sambaNtPassword
Then your debug log should include entries like:
rlm_ldap: sambaNtPassword -> NT-Password == 0x........
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
..but this is OK, since with "mschap" before "ldap" in your authorize{}
block, FreeRADIUS will handle the challenge-response stuff correctly for
MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP
with sufficient privilege to read the NT hash!
HTH
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
