You were right and freeradius is now getting the password from the LDAP directory. It's still not authenticating so I'm looking into that now. The radius server keeps sending a challenge to the AP for some reason which simply sends another request. Back to the docs I guess. TIA for any ideas from anyone.
-Barry
Dennis Skinner wrote:
On Tue, 2004-05-25 at 17:05, Barry Stewart wrote:
It's not even trying to connect to the LDAP server. Is this something I have to configure in the users file? I stopped telling the server to authenticate via LDAP and now ethereal confirms it doesn't query the server for anything. The LDAP info is in the radiusd.conf file. What is supposed to trigger the LDAP query? You said not to try telling the server to use any Auth-Type. I've tried commenting all of this out of the Authenticate section and I've tried the default configuration. If this needs to be done in the users file per user or with a catch all I'm not finding any examples. Sorry to be a pain but I must be overlooking a fundamental config option or I'm not even looking in the right direction.
Just a guess, but you probably want to have LDAP in the Authorize section. You never want to Authenticate to LDAP, MySQL or anything else like that. Being able to do so means these users can login *directly to the LDAP/Mysql/etc service*. That would be bad. You want to tell FreeRADIUS to use LDAP to Authorize these users (ie go get their username/password info from LDAP) and then FreeRADIUS will handle the Authtication properly once it has Authorized them.
I think the confirmation email to subscribe to this list should include a requirement to understand the difference between Authenticate and Authorize.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
