从 LDAP 使用 Freeradius 进行身份验证失败

我想将 Freeradius 设置为能够通过 LDAP 数据库进行身份验证。

Freeradius 可以正确连接并找到 LDAP 目录中的用户：

2024-01-14T22:00:25.233318433Z (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
2024-01-14T22:00:25.233326325Z (1) ldap:    --> (uid=user)
2024-01-14T22:00:25.233334383Z (1) ldap: Performing search in "cn=users,ou=admin,dc=example,dc=hu" with filter "(uid=user)", scope "sub"
2024-01-14T22:00:25.233343360Z (1) ldap: Waiting for search result...
2024-01-14T22:00:25.236617309Z (1) ldap: User object found at DN "cn=user,cn=users,ou=admin,dc=example,dc=hu"

客户端想要通过 进行身份验证mschapv2，这可以从请求中看出：

2024-01-14T22:00:25.232979025Z (1) Received Access-Request Id 31 from 172.16.8.14:59643 to 192.168.1.3:1812 length 150
2024-01-14T22:00:25.233058826Z (1)   Service-Type = Login-User
2024-01-14T22:00:25.233068484Z (1)   User-Name = "user"
2024-01-14T22:00:25.233076197Z (1)   MS-CHAP-Challenge = 0xfc1cd4cb18f3a72ebec9ae33bc3541b3
2024-01-14T22:00:25.233082264Z (1)   MS-CHAP2-Response = 0x00009a0da1c7787c2ba24c803731a9e5c0660000000000000000e202f180eb23202f5bf10113c00d336aded55e09ed3c49e2
2024-01-14T22:00:25.233088052Z (1)   Calling-Station-Id = "172.16.15.1"
2024-01-14T22:00:25.233093469Z (1)   NAS-Identifier = "router"
2024-01-14T22:00:25.233098457Z (1)   NAS-IP-Address = 172.16.8.14

但是，认证仍然失败：

2024-01-14T22:00:25.236764101Z (1) Found Auth-Type = mschap
2024-01-14T22:00:25.236770396Z (1) Auth-Type sub-section not found.  Ignoring.
2024-01-14T22:00:25.236775403Z (1) # Executing group from file /etc/freeradius/sites-enabled/default
2024-01-14T22:00:25.236780691Z (1) Failed to authenticate the user
2024-01-14T22:00:25.236793956Z (1) Using Post-Auth-Type Reject
2024-01-14T22:00:25.236800568Z (1) # Executing group from file /etc/freeradius/sites-enabled/default
2024-01-14T22:00:25.236809280Z (1)   Post-Auth-Type REJECT {

我不明白为什么。使用默认的 freeradius 站点配置，仅ldap添加 mod 和连接详细信息。

Ps.：使用radtest实用程序进行身份验证有效，因此仅使用 mschap 进行身份验证不起作用。测试的用户密码也存储为cleartextLDAPmd5中。