My first-born for a life without CHAP.
I have LDAP working with both PAP and CHAP, as long as
compare_check_items is turned off. This is what happens with a CHAP
authentication attempt without compare_check_items:
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "files" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myraduser
radius_xlat: '(uid=myraduser)'
radius_xlat: 'ou=people,dc=nodewarrior,dc=org'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=nodewarrior,dc=org, with filter
(uid=myraduser)
rlm_ldap: Added password grunk in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusClearTextPassword as User-Password, value grunk & op=11
Adding check item 2, value grunk
rlm_ldap: looking for reply items in directory...
rlm_ldap: user myraduser authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
modcall: entering group authtype
..etc. The authentication succeeds, anyway.
This is with compare_check_items turned on. Some of the debugging
output may not look familiar; I have added a few DEBUG() lines.
rlm_chap: Adding Auth-Type = CHAP
modcall[authorize]: module "chap" returns ok
modcall[authorize]: module "files" returns notfound
rlm_ldap: - authorize
rlm_ldap: performing user authorization for myraduser
radius_xlat: '(uid=myraduser)'
radius_xlat: 'ou=people,dc=nodewarrior,dc=org'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: setting TLS mode to 4
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=people,dc=nodewarrior,dc=org, with filter
(uid=myraduser)
rlm_ldap: Added password grunk in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusClearTextPassword as User-Password, value grunk & op=11
rlm_ldap: Adding check item 2, value grunk
rlm_ldap: looking for reply items in directory...
rlm_ldap: (ldap) attr 1000, value CHAP
rlm_ldap: (ldap) attr 2, value grunk
rlm_ldap: (request) attr 3, value <JUNK>
rlm_ldap: (request) attr 1, value myraduser
rlm_ldap: (request) attr 1053, value uid=myraduser,ou=people,dc=nodewarrior,dc=org
paircmp: comparing check 1000
rlm_ldap: Pairs do not match. Rejecting user.
As you can see, it looks like it's complaining because there's no
Auth-Type = CHAP in the request. It works with PAP because rlm_pap
doesn't add Auth-Type, and rlm_ldap doesn't add it until after paircmp
is called.
By my reading, the lack of attribute 2 in the request shouldn't be an
issue. Given that Auth-Type should never appear in a packet, doesn't
it make sense to ignore it as well?
Here are the relevant parts of my (embryonic, testing-only) config:
modules {
# /etc/raddb/users is empty...
files {
usersfile = ${confdir}/users
compat = no
}
chap {
}
pap {
encryption_scheme = crypt
}
ldap {
server = "localhost"
basedn = "ou=people,dc=nodewarrior,dc=org"
filter = "(uid=%u)"
password_attribute = "radiusClearTextPassword"
compare_check_items = yes
dictionary_mapping = ${raddbdir}/ldap.attrmap
}
}
authorize {
chap
files
ldap
}
authenticate {
authtype CHAP {
chap
}
authtype LDAP {
ldap
}
}
Thanks,
Dan
--
/^Dan Debertin$/
[EMAIL PROTECTED] | Did I sleep a little too late,
www.nodewarrior.org | or am I awake? --Byrne
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
