On Tue, 26 Mar 2002, Michael S. McCollough wrote:
> Are you using LDAP? This did not work for me. I did get the realms working
> though.
Yes, but you _do not_ authenticate off of LDAP. You authorize off of LDAP
(where the password needs to be stored in the clear). Essentially when
LDAP is in the authorize{} section, this is the only action it takes.
Then you authenticate{} with CHAP, which takes the CHAP-Password from the
inbound packet, and constructs a CHAP-ized version of the cleartext from
LDAP to compare it with.
-Shawn
>
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication. Cannot
> use "CHAP-Password".
> modcall[authenticate]: module "ldap" returns invalid
> modcall: group authenticate returns invalid
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found):
> [[EMAIL PROTECTED]/<CHAP-Password>] (from client MR-Firewall port 0)
>
>
>
> -----Original Message-----
> From: Shawn O'Shea [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 10:48 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: CHAP-Password & LDAP Auth?
>
>
>
> I got the better part of this working on Friday....here's most of the
> pertinent parts:
>
> radiusd.conf:
>
> -add a blank section for chap options (something complained when I didnt do
> this)
>
> chap {
> }
>
> -make sure that your ldap section is configured for your setup
>
> -make sure authorize{} has chap and ldap. Mine looks like: authorize {
> preprocess
> chap
> ldap
> suffix
> files
> }
>
> -make sure authenticate{} has chap. I have:
> authenticate {
> unix
> chap
> }
>
> I only have one type of user....I'm not sure how to setup realms properly,
> so I'm being lame and matching the realm in their username attribute and
> giving them some ascend vendor attributes:
> users:
>
> DEFAULT Suffix == "@realm.mycompany.com"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Ascend-Data-Filter = "IP IN FORWARD TCP",
> Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE",
> Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25",
> Ascend-Data-Filter += "IP IN FORWARD 0",
> Ascend-Assign-IP-Pool = 0
>
> -Shawn
>
> On Mon, 25 Mar 2002, Michael S. McCollough wrote:
>
> > I am probably just dense but either the faq is incomplete or I cannot
> > translate to suit my needs. I cannot even get chap to work with
> > Auth-Type :=system I need it to work with ldap. Once key point may be
> > CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in it. I
> > remember log time ago when chap was proposed, ms did their own
> > version. Since the MS version became the defacto standard, I am not
> > sure is ms-chap and chap are used interchangably.
> >
> > From radiusd -X
> > rlm_ldap: Attribute "Password" is required for authentication. Cannot
> > use "CHAP-Password".
> >
> > I need CHAP to work with LDAP but would be happy to see it work with
> > system auth just to know it works.
> >
> > --
> > Michael
> >
> >
> > -----Original Message-----
> > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 2:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: CHAP-Password & LDAP Auth?
> >
> >
> > On Thu, 21 Mar 2002, Mike Cathey wrote:
> >
> > > Chris,
> > >
> > >
> > > Chris Parker wrote:
> > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote:
> > > >
> > > >> Chris,
> > > >>
> > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC it's
> > > >> the auth code) supports 2 menthods of LDAP auth. One method
> > > >> attempts to bind to the directory as the user, which is what it
> > > >> sounds like FreeRADIUS does. The other methold is to bind to the
> > > >> directory as a privileged user (one who has access to all user
> > > >> attributes), crypt what the client handed you and compare it to
> > > >> userPassword.
> > > >
> > > >
> > > > The client hands you an already ( and non-reversable ) encrypted
> > > > string. Encrypting it a second time will yield nothing useful.
> > > >
> > > >> I may be possible to implement the second method in FreeRADIUS
> > > >> and use it for LDAP/CHAP auth. Comments?
> > > >
> > > >
> > > > The only way to perform CHAP authentication is for the server to
> > > > have access to the unecrypted password locally.
> > >
> > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was just
> > > pointing out the method of binding as a privileged user (a user who
> > > has rights to access the userPassword attribute for the RADIUS
> > > users). You can then get the value of userPassword and send the
> > > 'challenge' back to the proxy. I haven't read docs on CHAP in a
> > > while, but it seems like this would work ok. Of course, this
> > > assumes you store all of your users passwords in plain text.
> > >
> > > Cheers,
> > >
> > > Mike
> >
> > It's already supported. Please read the FAQ at
> > http://www.freeradius.org/faq/#5.11
> >
> > and doc/rlm_ldap
> >
> > --
> > Kostas Kalevras Network Operations Center
> > [EMAIL PROTECTED] National Technical University of Athens, Greece
> > Work Phone: +30 10 7721861
> > 'Go back to the shadow' Gandalf
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> Shawn K. O'Shea
> Sr. Unix Administrator
> DSL.net, Inc.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Shawn K. O'Shea
Sr. Unix Administrator
DSL.net, Inc.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
