Dear Andreas Grote,
Oy, yeah - and you needn't call
AG> modcall[authorize]: module "mschap" returns ok
mschap in authorize, because you already have all your attributes from
LDAP. mschap in authorize is only required if you store cleartext
password, in this case it produces NT/LM hashes from cleartext.
--Friday, April 26, 2002, 2:04:52 AM, you wrote to [EMAIL PROTECTED]:
AG> Hi, i am trying to get MS-Cha working with LDAP, and yes I read the Whole
AG> mailinglist up and down. But I couldn`t find a proper answer for this
AG> problem. Actually I find the postings give different suggesions and it
AG> seems like nobody realy knows how to configure this and is just giving good
AG> guesses. Proof me wrong please!
AG> I posted some Infos below.
AG> ----------------------------------------------
AG> If I uncomment "etc/smbpasswd" (in the moldulesection for mschap in the
AG> radius.conf)
AG> and use the sambapasswords (that happen to be on the machine also), it
AG> works just fine.
AG> But with the attempt to retrieve the (NT-LN) passwords with ldap it recects
AG> without an error message??
AG> Just saing "modcall[authenticate]: module "mschap" returns reject"
AG> ================= debug ======================
AG> rad_recv: Access-Request packet from host 192.168.168.111:1024, id=14,
AG> length=108
AG> Thread 1 assigned request 0
AG> --- Walking the entire request list ---
AG> Threads: total/active/spare threads = 5/1/4
AG> Nothing to do. Sleeping until we see a request.
AG> Thread 1 handling request 0, (1 handled so far)
AG> User-Name = "user"
AG> MS-CHAP-Challenge = 0xaeeb7b7ea94305a4a20b12c12858587e
AG> MS-CHAP2-Response =
AG> 0x010051fba451d02d5b08c1ae0c07740de2040000000000000000829b7aa6fd5a35e9f0d2a
AG> 076ce705faa1b4768cd941b1dab
AG> modcall: entering group authorize
AG> modcall[authorize]: module "preprocess" returns ok
AG> rlm_ldap: - authorize
AG> rlm_ldap: performing user authorization for user
AG> radius_xlat: '(uid=user)'
AG> radius_xlat: 'dc=uni-lueneburg,dc=de'
AG> ldap_get_conn: Got Id: 0
AG> rlm_ldap: attempting LDAP reconnection
AG> rlm_ldap: (re)connect to 192.168.168.45:389, authentication 0
AG> rlm_ldap: bind as cn=admin,dc=uni-lueneburg,dc=de/12345678
AG> rlm_ldap: waiting for bind result ...
AG> rlm_ldap: performing search in dc=uni-lueneburg,dc=de, with filter
AG> (uid=user)
AG> rlm_ldap: Added password 57D583AA46D571502AAD4BB7AEA09C70 in check items
AG> rlm_ldap: looking for check items in directory...
AG> rlm_ldap: Adding radiusdarfdas as darfdas, value 1 & op=11
AG> rlm_ldap: looking for reply items in directory...
AG> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=11
AG> rlm_ldap: Adding ntPassword as NT-Password, value
AG> 57D583AA46D571502AAD4BB7AEA09C70 & op=11
AG> rlm_ldap: Adding lmPassword as LM-Password, value
AG> 22124EA690B83BFBAAD3B435B51404EE & op=11
AG> rlm_ldap: user user authorized to use remote access
AG> ldap_release_conn: Release Id: 0
AG> modcall[authorize]: module "ldap" returns ok
AG> users: Matched DEFAULT at 178
AG> modcall[authorize]: module "files" returns ok
AG> modcall[authorize]: module "mschap" returns ok
AG> modcall: group authorize returns ok
AG> rad_check_password: Found Auth-Type MS-CHAP
AG> auth: type "MS-CHAP"
AG> modcall: entering group authenticate
AG> modcall[authenticate]: module "mschap" returns reject
AG> modcall: group authenticate returns reject
AG> auth: Failed to validate the user.
AG> Delaying request 0 for 1 seconds
AG> Finished request 0
AG> Going to the next request
AG> Thread 1 waiting to be assigned a request
AG> ===============radius.conf=======================
AG> authorize {
AG> ldap
AG> files
AG> mschap
AG> }
AG> authenticate {
AG> mschap
AG> }
AG> =================user=========================
AG> DEFAULT Auth-Type := MS-Chap
AG> DEFAULT Fall-Through = no
AG> ================lap conifg====================
AG> ldap {
AG> server = "192.168.168.45"
AG> identity = "cn=admin,dc=donknow,dc=de"
AG> password = secret
AG> basedn = "dc=uni-lueneburg,dc=de"
AG> #authtype = "MS-CHAP"
AG> filter = "(uid=%u)"
AG> start_tls = no
AG> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
AG> # profile_attribute = "radiusProfileDn"
AG> #access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
AG> #access_attr = "displayName"
AG> #access_group = "dc=donknow,dc=de"
AG> dictionary_mapping = ${raddbdir}/ldap.attrmap
AG> # ldap_cache_timeout = 120
AG> # ldap_cache_size = 0
AG> ldap_connections_number = 5
AG> # password_header = "{clear}"
AG> password_attribute = userPassword (I also tried ntPassword)
AG> # groupname_attribute = cn
AG> # groupmembership_filter =
AG> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Group
AG> OfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
AG> timeout = 4
AG> timelimit = 3
AG> net_timeout = 1
AG> }
--
~/ZARAZA
�� � � �����, ������, ������� ������ - ����� ������
��� ����� ������� ��������, ������ �������. (����)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
