Em 09-07-2010 13:59, Alan DeKok escreveu:
Daniel Gomes wrote:
Well, as I mentioned (a couple of times now), the LDAP server was indeed
returning a password to FreeRADIUS, since radtest was always working
fine.
No, it wasn't returning a password to FreeRADIUS. Go *read* the debug
output. It will prove this.
When using PAP, the LDAP module looks for a password. If it doesn't
get one, it then tries to do "bind as user". That is, it hands the
username&& password to the LDAP server, and asks "are these OK"?
When this happens, you're making your LDAP server do user
authentication. This is wrong. LDAP is a database. RADIUS is an
authentication server.
Ok, thanks, now I see the difference. I did read the debug output, and
again, I understood that FreeRADIUS was having problems getting the
userPassword, I just couldn't understand why. For a layman such as
myself, if it worked with radtest it followed that it should work with
MS-CHAP too. With this explanation, now I understand why it didn't.
So the problem wasn't in the LDAP server itself, because it does
"return a password when an LDAP client queries it for a password" (as I
also mentioned it, we are currently and successfully using it to
authenticate other services).\
Using PAP passwords.
Actually these application are probably just binding with the user's
credentials, but that's not relevant here.
The problem was really related to MS-CHAP,
and now that I changed to PAP, it all seems to be working fine...
Yes. For the reasons outlined above.
Your situation *isn't* the first time someone has had this issue.
We're familiar with the problem&& solution, where you are clearly not.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, it doesn't help me much if you say you know the problem and its
solution, but then don't tell me how to fix it. And I know I'm not the
first one to have these issues, I started from the beginning by saying
that I read everything I could find about it on the Internet, tried to
fix the problem many times and only then I came here, asking for help.
Sorry for wasting your time!... And btw, your aggressive attitude
doesn't really help anyone.
Anyway, after getting it to work with PAP, I followed nf-vale's solution
(adding the ntPassword and lmPassword attributes to LDAP) and now it's
also working with MS-CHAP. Thanks for the great tip!!
Cheers,
--
Daniel Gomes (SysAdmin)
[email protected]
Ext. 3487 - 218419487
Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
