On Tue, 21 Oct 2003, Lai Fu Keung wrote: > > Hi, > > I use LDAP to authenticate all requests. LDAP contains 2 password > attributes -- a plain text password for authenticating MS-CHAP and a > crypted password for authenticating PAP, CHAP. > > I can get CHAP, MS-CHAP working, but not with PAP. > > Anyone can help? Thanks in advance. > > Lai > > > Error message: > > rad_recv: Access-Request packet from host 147.8.123.123:1645, id=211, > length=197 > User-Name = "testuser" > User-Password = "testtest" > NAS-IP-Address = 147.8.123.123 > NAS-Port = 21 > Service-Type = Framed-User > Framed-Protocol = PPP > Called-Station-Id = "300" > USR-Connect-Speed = 48000-BPS > USR-Modulation-Type = v90Analog > USR-Simplified-MNP-Levels = mnpLevel4 > USR-Simplified-V42bis-Usage = none > USR-Chassis-Call-Slot = 0 > USR-Chassis-Call-Span = 0 > USR-Chassis-Call-Channel = 16 > NAS-Identifier = "modemserver" > Acct-Session-Id = "050003e4" > NAS-Port-Type = Async > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > radius_xlat: '/var/log/radius/radacct/147.8.123.123/auth-detail- > 20031020' > rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail- > %Y%m%d expands to /var/log/radius/radacct/147.8.123.123/auth-detail- > 20031020 > modcall[authorize]: module "auth_log" returns ok > modcall[authorize]: module "chap" returns noop > users: Matched DEFAULT at 171 > users: Matched DEFAULT at 185 > modcall[authorize]: module "files" returns ok > modcall: entering group redundant > rlm_ldap: - authorize > rlm_ldap: performing user authorization for tfklai > radius_xlat: '(uid=testuser)' > radius_xlat: 'ou=radius,c=hk' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=radius,c=hk, with filter > (uid=testuser) > rlm_ldap: Added password testtest in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user tfklai authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "first_ldap" returns ok > modcall: group redundant returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type > modcall: entering group redundant > rlm_ldap: - authenticate > rlm_ldap: login attempt by "testuser" with password "testtest" > rlm_ldap: user DN: uid=testuser,ou=radius,c=hk > rlm_ldap: (re)connect to freeradius.hku.hk:389, authentication 1 > rlm_ldap: bind as uid=testuser,ou=radius,c=hk/testtest to > freeradius.hku.hk:389 > rlm_ldap: waiting for bind result ... > modcall[authenticate]: module "first_ldap" returns reject > modcall: group redundant returns reject > modcall: group Auth-Type returns reject > auth: Failed to validate the user. > Login incorrect (rlm_ldap: Bind as user failed): [testuser/testtest] > (from client ppp-29642300 port 21)
Well it seems that the bind operation is failing. If your encrypted password is not the userpassword attribute then the ldap server will _not_ use that in the bind operation and as a result the bind operation will fail. So make sure you are using the right password attribute. > > radiusd.config file: > > module { > pap { > encryption_scheme = crypt > } > chap { > authtype = CHAP > } > ms_chap { > authtype = MS-CHAP > etc ... > } > ldap first_ldap { > server = "freeradius.hku.hk" > identity = "cn=administrator,c=hk" > password = 123456 > basedn = "ou=radius,c=hk" > etc ... > } > } > > authorize { > chap > redundant { > first_ldap { > notfound = return > } > second_ldap { > notfound = return > } > handled > } > files > mschap > } > > authenticate { > Auth-Type LDAP { > # ldap > redundant { > first_ldap > second_ldap > } > } > Auth-Type PAP { > pap > } > Auth-Type CHAP { > chap > } > Auth-Type MS-CHAP { > mschap > } > } > > users file: > > DEFAULT Service-Type == Framed-User > Framed-IP-Address = 255.255.255.254, > Framed-MTU = 576, > Service-Type = Framed-User, > Fall-Through = Yes > > DEFAULT Framed-Protocol == PPP > Framed-Protocol = PPP, > Framed-Compression = Van-Jacobson-TCP-IP > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html