On Fri, 2 Apr 2004, Sylvie Dupuy wrote:
> On Fri, 2 Apr 2004, Kostas Kalevras wrote:
>
> > On Thu, 1 Apr 2004, Ron Wahler wrote:
> >
> > > Is there a way to pass the current user and his password (assuming
> > > password in the clear) to the identity and password field, so the user
> > > can bind
> > > On there own account?
> > >
> > > So something like
> > >
> > >
> > > identity = "%{Stripped-User-Name:-%{User-Name}"
> > > password = "%{User-Password}"
> >
> > In general identity/password is used for ldap searches, NOT for ldap
> > authentication. It is used to find the user dn from the provided username. If
> > you put the ldap module in the authenticate section it will do a bind with the
> > userdn/password and verify the user password.
>
> I am actually doing some local tests until I get a wireless NAS (I would
> like to test EAP/TTLS then).
> I can connect to the LDAP database and check that the user I supplied with
> radtest exists (read access anonymous granted) and I would like to check
> user password for authentication (sent in cleartest with radtest, stored
> in clear text in the ldap database).
> in radiusd.conf, I got uncommented
> Auth-Type LDAP {
> ldap
> }
> but when authenticating with user password rlm_ldap bind fails
>
> I read in RFC that between the NAS and freeradius User-Password is MD5
> crypted whith shared secret Xored. Would this mean I can't test locally with
> radtest ?
You 're probably giving the wrong user password in radtest. The debug output you
've posted shows a correct ldap authentication sequence with wrong user
password.
>
> Thanks for help,
> sylvie
>
> -------------------------------------------------------------------
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for dupont
> radius_xlat: '(uid=dupont)'
> radius_xlat: 'dc=upmc,dc=fr'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as cn=admin,dc=upmc,dc=fr/ to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=upmc,dc=fr, with filter (uid=dupont)
> rlm_ldap: checking if remote access for dupont is allowed by dialupAccess
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user dupont authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "dupont" with password "truc"
> rlm_ldap: user DN: uid=dupont, dc=upmc, dc=fr
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as uid=dupont, dc=upmc, dc=fr/truc to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind failed with invalid credentials
> modcall[authenticate]: module "ldap" returns reject for request 0
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
