On Mon, 7 Jan 2002, J. S. Townsley wrote:
>
> I've been reviewing the website and FAQ for CHAP and LDAP related
> discussion but can't find much.
>
> Looks like there is no support for CHAP unless you have your passwords
> stored in cleartext on the server.
>
> If I were to setup my accounts as cleartext in LDAP is their current
> structure for authenticating those users via CHAP requests?
>
> I've seen modules for other radius servers to handle these kinds of
> requests, but not finding much for FreeRadius.
>
> Thanks much, in advance.
>
> --JST
> ___________________________________________________________
> J. S. Townsley Senior Network and Systems Engineer
> [EMAIL PROTECTED] Integrity Online
CHAP authentication with ldap works just fine.
First of all you have to store your ldap user passwords in plain text (that's a
chap protocol limitation).
Second you will have to read the doc/rlm_ldap file which outlines in detail all
the ldap module configuration options.
In general you will have to setup the password_attribute and password_header
attributes to the appropriate values. That way the ldap module will extract the
user password from the ldap database, strip out the password header and store
the password in a place were the rest of the server modules can use it for
authentication. You will also have to add rlm_chap in the authorize section of
radiusd.conf so that it can find out that we are doing chap authentication and
setup Auth-Type as appropriate.
Lastly, you will have to create a corresponding entry in the authenticate
section of radiusd.conf.
To summarize:
radiusd.conf::
ldap{
[...]
password_attribute = userPassword
password_header = "{clear}"
}
authenticate{
[...]
authtype CHAP{
chap
}
}
authorize{
ldap
chap
}
Hope it helps
--
kkalev
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
