I have included both of my files. If I have done anything other than what
you directed then I will eat crow (good training for Fear Factor anyway). It
is still using Auth type=ldap for PAP. I am using 0.5 from CVS. I am usually
pretty good at following directions.
Here is my users file (I also had DEFAULT Auth-Type = PAP with a
Fall-Through=Yes below configured before another section DEFAULT Suffix ==
"@planetez.net"
DEFAULT Auth-Type = PAP,Suffix == "@planetez.net"
Service-Type = Framed-User,
Framed-Protocol = PPP,
X-Ascend-Data-Filter = "ip in forward tcp est",
X-Ascend-Data-Filter = "ip in forward dstip 65.216.115.16/32",
X-Ascend-Data-Filter = "ip in drop tcp dstport = 25",
X-Ascend-Data-Filter = "ip in forward",
Fall-Through = Yes
Here is radiusd.conf:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
libdir = ${exec_prefix}/lib
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run
pidfile = ${run_dir}/radiusd.pid
user = root
group = root
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
checkrad = ${sbindir}/checkrad
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
chap {
}
pap {
}
mschap {
authtype = MS-CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
passwd = /etc/passwd
group = /etc/group
radwtmp = ${logdir}/radwtmp
}
eap {
md5 {
}
}
ldap {
server = ldap:389
net_timeout = 10
timeout = 20
timelimit = 20
ldap_debug = 0x0000
identity = "cn=manager,dc=uchub,dc=com"
password = whudup
ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 5
basedn = "dc=uchub,dc=com"
filter = "(uid=%u)"
password_header = "{clear}"
password_attribute = "userPassword"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
fastusers {
usersfile = ${confdir}/users_fast
hashsize = 1000
compat = no
hash_reload = 600
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
example {
boolean = yes
integer = 16
string = "This is an example configuration string"
ipaddr = 127.0.0.1
mysubsection {
anotherinteger = 1000
deeply nested {
string = "This is a different string"
}
}
}
}
authorize {
preprocess
chap
files
ldap
suffix
}
authenticate {
# pam
chap
authtype PAP {
pap
}
}
preacct {
files
preprocess
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
-----Original Message-----
From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 4:06 AM
To: Michael S. McCollough
Cc: '[EMAIL PROTECTED]'
Subject: RE: CHAP-LDAP PAP-LDAP
On Wed, 27 Mar 2002, Michael S. McCollough wrote:
> I noticed in radiusd -X that PAP trys to bind to the ldap directory
> where CHAP appears to do a simple search/read The bind status does not
> show up in the debug. Is there a way to make PAP behave like CHAP with
> the ldap module?
You would have saved yourself a lot of trouble if you just copied the
configuration I sent in my email. In any case let me explain what is
happening. You have in your authorize section:
authorize {
chap
ldap
files
}
So chap runs first. If it finds out that we have a CHAP request it will set
Auth-Type to CHAP. After that ldap runs. If Auth-Type has not been set
(meaning that we have a PAP
request) it will by default set it to LDAP. So in the case of PAP requests
you end up calling the ldap module for authentication and not the pap module
(they are two different things). So what you need to do is put files
*before* ldap in the authorize section and set the Auth-Type to PAP if it
has not already been set by the chap module with the following line in the
users file:
DEFAULT Auth-Type = PAP
Notice that we use '=' and not ':='. That way we set Auth-Type to PAP *only*
if it has not already been set.
After that add an authtype PAP section in the authenticate section (I am not
completely sure if it is needed though) like this:
authenticate{
[bla bla bla other modules]
authtype PAP {
pap
}
}
and everything should work just fine.
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
