On Fri, 27 Aug 2004, Alan DeKok wrote:
> If it's what your client is configured to use.
I guess it is, and don't think I can change that.
> The NT-Password is just the hash of the clear-text password.
Okay, but my LDAP server is storing crypted passwords.
> > modcall: entering group Auth-Type for request 4
> > rlm_mschap: No User-Password configured. Cannot create LM-Password.
> > rlm_mschap: No User-Password configured. Cannot create NT-Password.
> > rlm_mschap: Told to do MS-CHAPv2 for sotnickd with NT-Password
> > rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
>
> You've got to tell the server what the clear-text password is for
> the user. I suggest putting it into the LDAP database, as it isn't
> found there now:
> > rlm_ldap: ldap_get_conn: Got Id: 0
> > rlm_ldap: performing search in o=ddv.com, with filter (uid=sotnickd)
> > rlm_ldap: looking for check items in directory...
Right. The passwords are in LDAP, but crypted. Can I get Freeradius to
deal with those -- even when the client is requesting MS-CHAP
authentication inside the TTLS/EAP session?
I have non-EAP clients working fine:
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "sotnickd" with password "<DELETED>"
rlm_ldap: user DN: uid=sotnickd,ou=people,o=ddv.com
rlm_ldap: (re)connect to ldap.ddv.com:389, authentication 1
rlm_ldap: bind as uid=sotnickd,ou=people,o=ddv.com/b2lowfish to ldap.ddv.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user sotnickd authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Login OK: [sotnickd] (from client switchland port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat: '/usr/local/var/log/radius/radacct/192.168.250.102/reply-detail-20040827'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/192.168.250.102/reply-detail-20040827
modcall[post-auth]: module "reply_log" returns ok for request 0
modcall: group post-auth returns ok for request 0
Sending Access-Accept of id 22 to 192.168.250.102:1091
So, will this work if my LDAP passwords are crypted and yet the clients
want to use MSCHAP and are expecting the back-end passwords to be
plaintext?
-David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
