Thanks for the response.
> rlm_ldap: Adding userPassword as User-Password, value { & op=21
The line above looks wrong, but it never ends up being a problem because...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user joey authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
...during authenticate...
Sure, I don't think that FDS has the radius extensions yet although I've created an ldif to add them if needed but in the mean time I've just commented out:
access_attr = "dialupAccess"
because I want all my users to be able to use the VPN.
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "joey" with password "xxxxxxxx"
> rlm_ldap: user DN: uid=joey,ou=People, dc=example,dc=net
> rlm_ldap: (re)connect to ldap.example.net:389, authentication 1
> rlm_ldap: bind as uid=joey,ou=People, dc=example,dc=net/xxxxxxxx to
> ldap.example.net:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user joey authenticated succesfully
...auth-type == LDAP and an LDAP simple bind is done to answer the PAP
request from radtest. This ONLY works with PAP because an LDAP simple
bind needs the plaintext password.
> Login OK: [joey/xxxxxxx] (from client el-oso port 0)
> Sending Access-Accept of id 116 to 172.33.100.18:32811
>
> So that tells me that I've got the communication to my LDAP server
> properly configured.
>
> However when my PPTP server sends authentication requests to my radius
> server, I always get "Login incorrect: [joey/<no User-Password
> attribute>]"
Since it's a PPTP server you are almost certainly going to be using
MS-CHAP, which requires either:
1. The NT password hash to be in LDAP and readable by FreeRadius
2. The plaintext password to be in LDAP and readable
3. Samba, domain membership, winbind and the ntlm_auth plugin option
for the mschap module
Well, I'm not using windows systems at all - I've got OSX clients and a linux-based PPTP server. The passwords are stored as SSHA in my LDAP directory. That finally makes sense as to why radtest works, so thanks! My next question is, what Auth-Type should I be using for SSHA's stored in an LDAP directory. Clearly LDAP isn't going to be it if it doesn't support decrypting passwords and I don't wish to store passwords in plain text in the directory.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
