Re: Dont know how to receiving userPassword

[Dusty Doris <openldap@mail.doris.cc>]

> >i´m new in this list and I set up Openldap as my first LDAP server. The
> >server works fine, searches and binds work. But i need LDAP for
> >providing Passwords in cleartext to a freeradius Server for
> >authentication . (The running protocols PEAP/MSCHAPv2 need this, bind
> >to LDAP basicaly not possible)  My problem is that i dont get the LDAP
> >Server to send out Passwords from the directory. Sniffers like Ethereal
> >show that in the Search Request LDAP Packets is Attributename
> >userPassword listed. But i get back as Search Entry no Attributes
> >provided. Are i´m right with assuming attributevalues should be
> >provided in the "Search Entry" message? I already tried a lot of things
> >with the Access Control Lists and set password- hash {CLEARTEXT}. How
> >do i get the Openldap to transmit this userPassword?
> >
> >Thanks in advance for help!
> >Ben


When you setup freeradius you will specify a username/password to bind to
openldap with and search for users.  You need to give that user access to
the userpassword attribute.

ie: freeradius config

ldap {
 identity = "cn=freeradius,ou=admins,dc=mydomain,dc=com"
 password = "password"
 ...
}


If you searches are going fine, then you've already created that user in
openldap.  So, now you need to give him access to read the password.  If
this was your only rule, this should work fine.

access to *
	by self write
	by dn="cn=freeradius,ou=admins,dc=mydomain,dc=com" read
	by * none

Or, if you have an attr filter before that entry in your slapd.conf, then
add the user to it.

access to attr=userPassword
	by self write
	by dn="cn=freeradius,ou=admins,dc=mydomain,dc=com" read
	by * none