FR + LDAP + ADS 2003 password questions
here is a 57kb tar.gz of my /etc/raddb folder containing all configs. http://rapidshare.com/files/27470184/20070420_ldap_working.tar.gz.html -- Hello I have been reading everything I can get my hands on to resolve this problem Im having. The error message related to this problem: Attribute User-Password is required for authentication. Now I have just read through doc/rlm_ldap again and the 4th last paragraph made me wonder if this current method Im trying is supported. LDAP and Active Directory - Active directory does not return anything in the userPassword attribute, unlike other LDAP servers. As a result, you cannot use Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication. You can only use PAP, and then only if you list ldap in the authenticate section. To do MS-CHAP against an Active Directory domain, see the comments in radiusd.conf, about ntlm_auth. You will need to install Samba. Is it true that the only way to authenticate against active directory is using ntlm_auth ?. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). I have enabled anonymous LDAP searches on the ADS. On friday I added this line to ldap.attrmap: checkItem userPasswordUser-Password And it worked for that day, I came back after the weekend copied configs across to my 2nd linux machine and retryed but it failed with the old error metioned above. I tried on the test server and it now fails as well with the same error (possibly server was reset over the weekend or something, I dunno). My test shows that anonymous search is definitely working ldapsearch -h 10.1.1.11 -b 'dc=tfxschool,dc=internal' -x -LLL -s sub 'objectclass=*' I dont have access to the machines atm (finished work for the day) but I did notice that down the bottom of ldap.attrmap I still have these entrys which were suggested by a thread I found on google (same error message). Im wondering if these lines will be adversly effecting my entry above and/or ldap authentication in general. checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Thanks in advance people, I really appreciate the help I have been getting on this mailing list. It has been an epic struggle for me so far (learning perl + snmp + cisco was easier) but I havent given up hope yet ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Jacob Jarick wrote: Is it true that the only way to authenticate against active directory is using ntlm_auth ? For ms-chap, yes. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). Yes. You can also put firewall rules in place to block any traffic to the Samba machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? and now that I understand your tables (well I think) I should be able to persuade my employer to use ntlm and firewall the the samba ports. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Is it true that the only way to authenticate against active directory is using ntlm_auth ? For ms-chap, yes. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). Yes. You can also put firewall rules in place to block any traffic to the Samba machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Jacob Jarick wrote: Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? Yes. The mschap module does both mschapv1 and mschapv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Thanks On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? Yes. The mschap module does both mschapv1 and mschapv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html