I would like to set freeradius up to authenticate from an LDAP directory. I can successfully authenticate a user this way from the radtest client. What I am trying to do is authenticate wireless clients (Windows XP). There is a ldap_howto.txt file but it's pretty complicated. I just wish to do a simple LDAP bind and I'm hoping this is possible. As I said it works with the radtest client. I did read the docs but I am still confused as to all of this is supposed to work. I know you need to bind to LDAP with a clear text password. Apparently this isn't possible with eap/peap. According to the docs you need to extract the password from LDAP first and then do the comparison from instead of authenticating from LDAP. Does this mean the passwords in the LDAP directory have to be stored in plain text?
When I set the Windows XP clients up with ms-chapv2/peap I was able to authenticate from clear text passwords in the users file. I don't know much about ms-chap. Is it a one way encryption algorithm such as MD5 or is the password sent by the Windows XP client decrypted before it is compared to the password in the users file? If this was the case I suppose it would be easy to bind to the LDAP directory. In any case I set the authenticate section of radiusd.conf per ldap_howto.conf. I'm not sure if this example is for use with eap. It looks like it is trying to authenticate directly from the LDAP directory which I've read cannot be done.
I am running radiusd in debugging mode and it seems to be failing with the following:
rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 2 modcall: group Auth-Type returns invalid for request 2
I don't know if the "User-Password" attribute is configurable from the conf file or if I need to change/add my LDAP schemas. The attribute in the LDAP directory is actually "userPassword". I tried changing this in radiusd.conf but there was no difference in the output. I'm guessing the problem is that the password just isn't being sent in clear text so the module quits.
Any help, (perhaps sample config files) would be greatly appreciated.
-Barry Stewart
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
