Re: FW: MS-CHAP-v2 and CHAP with different passwords in LDAP
Edvin Seferovic wrote: before somebody yells not again - I just wish to ask if it is possible to use MS-CHAP and CHAP authentication with a LDAP backend which contains clear-text passwords as well as NT-Password ( used for MS-CHAP ) ??? Alan - yes/no answer please :) Read the web page: http://deployingradius.com/documents/protocols/compatibility.html If you're doing bind as user in LDAP, read this: http://deployingradius.com/documents/protocols/oracles.html If positive - can somebody give me an example of attribute mapping to ldap for both ( MS-CHAP and CHAP ) to work ? You don't do attribute mappings. See the ldap section in radiusd.conf, and look for password_attribute. My setup with LDAP as backend is working with a mapping of NT-Password to sambaNTPassword like this : checkItem NT-Password sambaNTPassword MS-CHAP works just fine ! For CHAP I added password_header = {clear} password_attribute = userPassword password_radius_attribute = User-Password Where did that last line come from? to the LDAP module configuration. But unfortunately chap module doesn't like my clear-text password ( stored in userPassword ) for authentication :( How else can I say CHAP where to look for the clear-text password. See the FAQ for it doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FW: MS-CHAP-v2 and CHAP with different passwords in LDAP
http://deployingradius.com/documents/protocols/compatibility.html Read it ! If you're doing bind as user in LDAP, read this: Nope - just using LDAP as storage and accessing it with a privileged user that has R/O access to the user profiles You don't do attribute mappings. See the ldap section in radiusd.conf, and look for password_attribute. Okay - did that now. MS-CHAP still working. Voila - CHAP works as well ! password_header = {clear} password_attribute = userPassword password_radius_attribute = User-Password Where did that last line come from? http://wiki.freeradius.org/Rlm_ldap from here ! Wasn't sure if that was the right for me. See the FAQ for it doesn't work. My FAQ says Find the typo and go to sleep :) Thanks Alan ! Kind regards, E:S - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html