Hi ! After searching the Web and this list and reading a LOT of radius-documentary i still canÂt figure out how to get this to work ...
Following Setup: Samba 3.0 Domain LDAP-Directory for centralized administration Freeradius-Server Windows 2003 Server for RAS The Samba accounts and everything is stored within the LDAP-Directory. Now we want to remove our old NT4 Server who is providing RAS-Services until now so we decided to use Windows 2003 (DonÂt ask, the RAS thing is just a nice side-feature we want to use). The Windows 2003 RAS-Service allows authentication with RADIUS. So i set up a freeradius-server and configured the W2K3 to use it. For testing purpose i entered my username and cleartext-password to the users-file and i can login fine. But i donÂt want to use the users-file (Who would, with a nice LDAP Directory at hand ;) ) So i configured LDAP into this whole thingy ... i got TLS and everything to work, ldap-access itself seems to be running nicely. My Problem: The userPassword stored in the LDAP Directory is crypted (MD5) for security purpose. So this one canÂt be used i guess. BUT: We got a nice sambaLMPassword and a sambaNTPassword for every user which imho should be enough for radius, right ? I tried this: This is how i configured the LDAP-Module: --------------------------- SNIP ---------------------------- ldap { server = "ldap.test.com" identity = "uid=ldaproot" password = blabla basedn = "dc=test,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = yes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = "" password_attribute = sambaNTPassword timeout = 4 timelimit = 3 net_timeout = 1 } --------------------------- SNIP ---------------------------- This fetches me the correct hash out of the directory The server gives me this output: --------------------------- SNIP ---------------------------- rlm_ldap: performing search in dc=test,dc=com, with filter (uid=testuser) rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user holtkamp authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 10 modcall: group authorize returns ok for request 10 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" modcall: entering group Auth-Type for request 10 rlm_mschap: doing MS-CHAPv2 with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 10 modcall: group Auth-Type returns reject for request 10 auth: Failed to validate the user. Login incorrect: [testuser/<no User-Password attribute>] (from client w2k3-ras-server port 128 cli 192.168.0.55) --------------------------- SNIP ---------------------------- Now WHY is the Respone incorrect ? Any ideas what i am missing here ? If you need more information just ask, i got everything here :) radiusd.conf --------------------------- SNIP ---------------------------- authorize { preprocess mschap ldap } authenticate { Auth-Type MS-CHAP { mschap } } --------------------------- SNIP ---------------------------- -- Daniel Holtkamp Riege Software International GmbH System Administration Mollsfeld 10 40670 Meerbusch, Germany Phone: +49-2159-9148-41 mail: [EMAIL PROTECTED] Fax: +49-2159-9148-11 -------------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html