ahaenggli
commented
5 months ago Did you possibly use a user from Entra for freeradius-ldap in its config instead of an wrapper admin user (env var LDAP_BINDUSER)?
Closed arctus closed 5 months ago
ahaenggli
commented
5 months ago Did you possibly use a user from Entra for freeradius-ldap in its config instead of an wrapper admin user (env var LDAP_BINDUSER)?
arctus
commented
5 months ago Checked that - I used a "root" binding user.
ahaenggli
commented
5 months ago The Synology Freeradius package works so far. It should be due to some configuration... Is there an attribute mapping somewhere? The only "special" thing about the wrapper is, that no plain text passwords are stored. Freeradius should therefore use the hashed attribute sambaNTPassword. Maybe this attribute has to be configured somewhere?
arctus
commented
5 months ago yes, indeed the Radius package in Synology works ok, the only bad thing that they have is that instead of "allowed group", you can set only "blocked group".
arctus
commented
5 months ago so tried the VPN from Mikrotik to RADIUS running on Synology connected to LDAP. Receive error about "No NT Password", question is: in order to use RADIUS (without PAP as I understand), I first need to allow users to login to Synology?
ahaenggli
commented
5 months ago Yep. Each user must first log in to a service that is directly connected to the LDAP-wrapper (DSM, web application, etc.).
arctus
commented
5 months ago Is there any way around it? My entry point is VPN service and really don't want to expose the synology outside.
ahaenggli
commented
5 months ago Nope. Without a previous login, the wrapper has no idea about what the user password is.
arctus
commented
5 months ago I guess that is the reason why freeradius did not work as well.
yuhongwei380
commented
4 months ago Nope. Without a previous login, the wrapper has no idea about what the user password is.
how to change the code so that we can verify the password online (a previous login is not convenient) ; I try to understand the docker building's code ; It's hard to me
ahaenggli
commented
4 months ago @yuhongwei380 the problem is not the wrapper. The wrapper verifies the password online. The problem is Freeradius. Freeradius does not send the password to the wrapper for verification. freeradius fetches the password hash from the wrapper and performs the verification itself.
yuhongwei380
commented
4 months ago @yuhongwei380 the problem is not the wrapper. The wrapper verifies the password online. The problem is Freeradius. Freeradius does not send the password to the wrapper for verification. freeradius fetches the password hash from the wrapper and performs the verification itself.
OK; thanks for reply
I am trying to configure this to work with freeradius-ldap docker container and I can't seem to make it work, receive these kinds of errors:
WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)as well as:WARNING: pap : No "known good" password found for the user. Not setting Auth-Type WARNING: pap : Authentication will fail unless a "known good" password is availableor:WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password WARNING: mschap : No Cleartext-Password configured. Cannot create NT-PasswordAnything I need to change to reconfigure?