I was wondering if I could borrow your brain for a moment. I posted to
freeradius-users this morning, but have not received a response and I would
really love to get my configuration approved by WorldCom today. It appears
just as CHAP will not read anything but cleartext password from ldap, PAP is
not working with anything other than {crypt}. I have looked through openldap
documentation to no avail and I do recognize this is most likely an openldap
problem. I have to be able to support both PAP and CHAP and know of no other
way to do this.Thanks for you time. Michael -----Original Message----- From: Michael S. McCollough [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 1:58 PM To: '[EMAIL PROTECTED]' Subject: CHAP-LDAP PAP-LDAP This is fun: Now, PAP will authenticate when an LDAP user has a {crypt} password and will not work with a clear text password stored in ldap? The following user has password stored {clear} Can you tell me how to get around this as I will need to store all ldap passwords {clear} to use CHAP. Thanks Michael rad_recv: Access-Request packet from host 208.241.20.2:64113, id=72, length=61 User-Name = "[EMAIL PROTECTED]" Password = "\241\312\202\355%E\334\365\\\n\tH\306\330\013H" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for [EMAIL PROTECTED] radius_xlat: '([EMAIL PROTECTED])' radius_xlat: 'dc=uchub,dc=com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap:389:389, authentication 0 rlm_ldap: bind as cn=manager,dc=uchub,dc=com/b33r1sg00d rlm_ldap: waiting for bind result ... rlm_ldap: performing search in dc=uchub,dc=com, with filter ([EMAIL PROTECTED]) rlm_ldap: Added password uchubtest in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok rlm_realm: Proxying request from user testuser to realm planetez.net rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 2 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "Ldap" modcall: entering group authtype rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "uchubtest" rlm_ldap: user DN: [EMAIL PROTECTED],ou=People,dc=uchub,dc=com rlm_ldap: (re)connect to ldap:389:389, authentication 1 rlm_ldap: bind as [EMAIL PROTECTED],ou=People,dc=uchub,dc=com/uchubtest rlm_ldap: waiting for bind result ... modcall[authenticate]: module "ldap" returns reject modcall: group authtype returns reject auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [[EMAIL PROTECTED]/uchubtest] (from client MR-Firewall port 0) Sending Access-Reject of id 72 to 208.241.20.2:64113 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 72 with timestamp 3ca21fb8 Nothing to do. Sleeping until we see a request. -----Original Message----- From: Alan DeKok [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 1:06 PM To: [EMAIL PROTECTED] Subject: Re: CHAP-Password & LDAP Auth? Kostas Kalevras <[EMAIL PROTECTED]> wrote: > Do one of the following: > > 1. ... Can you add this to the default 'radiusd.conf.in'? There are enough questions about CHAP and other modules that a template should be in the default configuration file. Also, it may be useful to add an 'authorize' section to rlm_pap, and to list it as the LAST module in the 'authorize' list. That way, the discovery of doing PAP authentication can be automagic. Hmm... src/main/files.c and src/main/auth.c do various magic to discover Auth-Type = Local. This should be fixed, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
