>Hi, I have several problems when I would like to link freeradius with AD >using OpenLDAP.
Look up http://deployingradius.com/documents/configuration/active_directory.html to see how to inegrate with AD for pap and mschap/PEAP. >When I tried to test the binding of OpenLDAP to the AD with radtest, it >responds Access-Accept (as you can see in the log after). Yes. >Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as >CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 >Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... >Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful >Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated >succesfully Ldap "bind as user" works for pap requests. And nothing else. This is documented in ldap module configuration file. >But when I wanted to check with a real supplicant (under WinXP with >MD5-Challenge Auth) I got an access-reject. > EAP-MD5 authentication requires clear text password: http://deployingradius.com/documents/protocols/compatibility.html AD is not going to provide it via ldap. You can't use AD to authenticate with EAP-MD5. Obtaining a reversibly encrypted password from AD is propriatory MS stuff. You need IAS for that plus to enable reversible passwords for your users in Remote Access Policy. If this wasn't enabled already, reversible passwords will be created next time user changes the password (ie. all users will most likely need to enter new passwords). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html