freeradius-1.1.3-1.2.el5 LDAP authentication (OpenLDAP)
I am mostly working now but I do get failures if a user has the Windows Domain set to any value at all which of course means that the authentication is passed as DOMAIN\user and I want it to strip out the DOMAIN\ part and just keep the user so Windows laptops would just automatically authenticate current logged in user. Not sure this is necessary but this is the debug of what is happening... rlm_ldap: - authorize rlm_ldap: performing user authorization for MyOrg\craigwhite radius_xlat: '(uid=MyOrg\5c\5ccraigwhite)' radius_xlat: 'ou=People,ou=Accounts,o=MyOrg,c=US' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=admin,o=MyOrg,c=US/pass to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with filter (uid=MyOrg\5c\5ccraigwhite) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for MyOrg\craigwhite with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 modcall: leaving group MS-CHAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: User not found): [MyOrg\\craigwhite/<no User-Password attribute>] (from client RRAS port 11 cli 68.231.14.75) Delaying request 0 for 1 seconds Finished request 0 I have tried it with ntdomain_hack enabled but the outcome is the same. If I don't include the Domain, I get authenticated no problem...so I figure all I need/want is to strip the user name out. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html