On Wed, 27 Mar 2002, Michael S. McCollough wrote:
> This is fun:
> Now, PAP will authenticate when an LDAP user has a {crypt} password and will
> not work with a clear text password stored in ldap? The following user has
> password stored {clear}
>
> Can you tell me how to get around this as I will need to store all ldap
> passwords {clear} to use CHAP.
>
> Thanks
> Michael
There seems to be something very wrong with your ldap server since the bind
request with the user clear text password fails. In any case, try using the
following:
authenticate{
authtype CHAP {
chap
}
authtype PAP {
pap
}
}
authorize {
chap
files
ldap
}
users file:
DEFAULT Auth-Type = PAP
This should work with clear text passwords (remember to set the
encryption_scheme config parameter of the pap module to clear).
Make sure though you find out what's the problem with your ldap server.
Try something like:
ldapsearch -h <your hostname> -b dc=uchub,dc=com
-D '[EMAIL PROTECTED],ou=People,dc=uchub,dc=com' -w uchubtest
'[EMAIL PROTECTED]'
and see what happens.
>
>
> rad_recv: Access-Request packet from host 208.241.20.2:64113, id=72,
> length=61
> User-Name = "[EMAIL PROTECTED]"
> Password = "\241\312\202\355%E\334\365\\\n\tH\306\330\013H"
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> rlm_chap: Could not find proper Chap-Password attribute in request
> modcall[authorize]: module "chap" returns noop
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for [EMAIL PROTECTED]
> radius_xlat: '([EMAIL PROTECTED])'
> radius_xlat: 'dc=uchub,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap:389:389, authentication 0
> rlm_ldap: bind as cn=manager,dc=uchub,dc=com/b33r1sg00d
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in dc=uchub,dc=com, with filter
> ([EMAIL PROTECTED])
> rlm_ldap: Added password uchubtest in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok
> rlm_realm: Proxying request from user testuser to realm planetez.net
> rlm_realm: auth_port is not set. proxy cancelled
> modcall[authorize]: module "suffix" returns ok
> users: Matched DEFAULT at 2
> modcall[authorize]: module "files" returns ok
> modcall: group authorize returns ok
> rad_check_password: Found Auth-Type LDAP
> auth: type "Ldap"
> modcall: entering group authtype
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "testuser" with password "uchubtest"
> rlm_ldap: user DN: [EMAIL PROTECTED],ou=People,dc=uchub,dc=com
> rlm_ldap: (re)connect to ldap:389:389, authentication 1
> rlm_ldap: bind as
> [EMAIL PROTECTED],ou=People,dc=uchub,dc=com/uchubtest
> rlm_ldap: waiting for bind result ...
> modcall[authenticate]: module "ldap" returns reject
> modcall: group authtype returns reject
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: Bind as user failed):
> [[EMAIL PROTECTED]/uchubtest] (from client MR-Firewall port 0)
> Sending Access-Reject of id 72 to 208.241.20.2:64113
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 5 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 72 with timestamp 3ca21fb8
> Nothing to do. Sleeping until we see a request.
>
> -----Original Message-----
> From: Alan DeKok [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, March 27, 2002 1:06 PM
> To: [EMAIL PROTECTED]
> Subject: Re: CHAP-Password & LDAP Auth?
>
>
> Kostas Kalevras <[EMAIL PROTECTED]> wrote:
> > Do one of the following:
> >
> > 1.
> ...
>
> Can you add this to the default 'radiusd.conf.in'? There are enough
> questions about CHAP and other modules that a template should be in the
> default configuration file.
>
> Also, it may be useful to add an 'authorize' section to rlm_pap, and to
> list it as the LAST module in the 'authorize' list. That way, the discovery
> of doing PAP authentication can be automagic.
>
> Hmm... src/main/files.c and src/main/auth.c do various magic to discover
> Auth-Type = Local. This should be fixed, too.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
