I noticed in radiusd -X that PAP trys to bind to the ldap directory where CHAP appears to do a simple search/read The bind status does not show up in the debug. Is there a way to make PAP behave like CHAP with the ldap module?
-----Original Message----- From: Michael S. McCollough [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 9:12 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: CHAP-LDAP PAP-LDAP I am completely stumped. I have been up 3 nights straight trying to get this to work. If I cannot get it by midnight, I guess I will develop with users file or passwd file A user with userPassword: {clear}uchubtest [root@radius openldap]# ldapsearch -h localhost -b dc=uchub,dc=com -D '[EMAIL PROTECTED],ou=People,dc=uchub,dc=com' -w uchubtest '[EMAIL PROTECTED]' -x ldap_bind: Invalid credentials [root@radius openldap]# ldapsearch -h localhost -b dc=uchub,dc=com -D '[EMAIL PROTECTED],ou=People,dc=uchub,dc=com' -w uchubtest '[EMAIL PROTECTED]' -x This user will not authenticate with ldap but CHAP on radius authenticates against it fine, PAP will not. This user works fine with ldap auth and PAP but will not work with CHAP With user imported with: userPassword: uchubtest version: 2 # # filter: [EMAIL PROTECTED] # requesting: ALL # # [EMAIL PROTECTED],People,dc=uchub,dc=com dn: [EMAIL PROTECTED],ou=People,dc=uchub,dc=com uid: [EMAIL PROTECTED] cn: Test Account objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: dWNodWJ0ZXN0 shadowLastChange: 11764 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 508 gidNumber: 509 homeDirectory: [EMAIL PROTECTED] gecos: Test Account,Test Inc.,xxx-xxx-xxxx, # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -----Original Message----- From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 5:43 PM To: '[EMAIL PROTECTED]' Subject: Re: CHAP-LDAP PAP-LDAP On Wed, 27 Mar 2002, Michael S. McCollough wrote: > This is fun: > Now, PAP will authenticate when an LDAP user has a {crypt} password > and will not work with a clear text password stored in ldap? The > following user has password stored {clear} > > Can you tell me how to get around this as I will need to store all > ldap passwords {clear} to use CHAP. > > Thanks > Michael There seems to be something very wrong with your ldap server since the bind request with the user clear text password fails. In any case, try using the following: authenticate{ authtype CHAP { chap } authtype PAP { pap } } authorize { chap files ldap } users file: DEFAULT Auth-Type = PAP This should work with clear text passwords (remember to set the encryption_scheme config parameter of the pap module to clear). Make sure though you find out what's the problem with your ldap server. Try something like: ldapsearch -h <your hostname> -b dc=uchub,dc=com -D '[EMAIL PROTECTED],ou=People,dc=uchub,dc=com' -w uchubtest '[EMAIL PROTECTED]' and see what happens. > > > rad_recv: Access-Request packet from host 208.241.20.2:64113, id=72, > length=61 > User-Name = "[EMAIL PROTECTED]" > Password = "\241\312\202\355%E\334\365\\\n\tH\306\330\013H" > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_chap: Could not find proper Chap-Password attribute in request > modcall[authorize]: module "chap" returns noop > rlm_ldap: - authorize > rlm_ldap: performing user authorization for [EMAIL PROTECTED] > radius_xlat: '([EMAIL PROTECTED])' > radius_xlat: 'dc=uchub,dc=com' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to ldap:389:389, authentication 0 > rlm_ldap: bind as cn=manager,dc=uchub,dc=com/b33r1sg00d > rlm_ldap: waiting for bind result ... > rlm_ldap: performing search in dc=uchub,dc=com, with filter > ([EMAIL PROTECTED]) > rlm_ldap: Added password uchubtest in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user [EMAIL PROTECTED] authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > rlm_realm: Proxying request from user testuser to realm planetez.net > rlm_realm: auth_port is not set. proxy cancelled > modcall[authorize]: module "suffix" returns ok > users: Matched DEFAULT at 2 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "Ldap" > modcall: entering group authtype > rlm_ldap: - authenticate > rlm_ldap: login attempt by "testuser" with password "uchubtest" > rlm_ldap: user DN: [EMAIL PROTECTED],ou=People,dc=uchub,dc=com > rlm_ldap: (re)connect to ldap:389:389, authentication 1 > rlm_ldap: bind as > [EMAIL PROTECTED],ou=People,dc=uchub,dc=com/uchubtest > rlm_ldap: waiting for bind result ... > modcall[authenticate]: module "ldap" returns reject > modcall: group authtype returns reject > auth: Failed to validate the user. > Login incorrect (rlm_ldap: Bind as user failed): > [[EMAIL PROTECTED]/uchubtest] (from client MR-Firewall port 0) > Sending Access-Reject of id 72 to 208.241.20.2:64113 Finished request > 0 Going to the next request > --- Walking the entire request list --- > Waking up in 5 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 72 with timestamp 3ca21fb8 > Nothing to do. Sleeping until we see a request. > > -----Original Message----- > From: Alan DeKok [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 27, 2002 1:06 PM > To: [EMAIL PROTECTED] > Subject: Re: CHAP-Password & LDAP Auth? > > > Kostas Kalevras <[EMAIL PROTECTED]> wrote: > > Do one of the following: > > > > 1. > ... > > Can you add this to the default 'radiusd.conf.in'? There are enough > questions about CHAP and other modules that a template should be in > the default configuration file. > > Also, it may be useful to add an 'authorize' section to rlm_pap, and > to list it as the LAST module in the 'authorize' list. That way, the > discovery of doing PAP authentication can be automagic. > > Hmm... src/main/files.c and src/main/auth.c do various magic to > discover Auth-Type = Local. This should be fixed, too. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
