As I explained before, authentication using user credentials works using PEAP/MSCHAPv2, but not LDAP. Do not change ldap module, it is irrelevant:
[ldap] performing user authorization for MYDOMAIN\john
expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=john)
expand: dc=mydomain,dc=local -> dc=mydomain,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://127.0.0.1:389/, authentication 0
rlm_ldap: bind as cn=ebox,dc=mydomain,dc=local/XXXXXXX/ to ldap://127.0.0.1:389/
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=mydomain,dc=local, with filter (uid=john)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0xxx531
rlm_ldap: sambaLmPassword -> LM-Password == 0xxx545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
but EAP/mschapv2 works just fine:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for olga with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=john
expand: %{mschap:NT-Domain} -> MYDOMAIN
expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap] mschap2: 5f
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=xxxxxxxxxxxx
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=xxxxxxxxxxxxxxxxxx
Exec-Program output: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
But for computer authentication to work you need to strip host/Domain name and add $.
Novell web site
http://www.novell.com/coolsolutions/feature/17044.html#7 suggests to use attr_rewrite, i.e:
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = "^(host/.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}
So if you know regex well, try to play with /etc/freeradius/modules/mschap and attr_rewrite to convert host/MYCOMPUTER.MYDOMAIN to MYCOMPUTER$.
If you made it work, please, post the configuration.