Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]

[David W Bell]

Ranner, Frank MR wrote:
UNCLASSIFIED
  
Config as requested - I did uncomment and configure the identity 
section
- is this not required?

        ldap {
                #
                #  Note that this needs to match the name in the LDAP
                #  server certificate, if you're using ldaps.
                server = "localhost"
                identity = "cn=Administrator,dc=dxi,dc=net"
                password = trPic4n03
                basedn = "dc=dxi,dc=net"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                #base_filter = "(objectclass=radiusprofile)"

                #  How many connections to keep open to the LDAP 
server.
                #  This saves time over opening a new LDAP socket for
                #  every authentication request.
                ldap_connections_number = 5

                # seconds to wait for LDAP query to finish. 
default: 20
                timeout = 4

                #  seconds LDAP server has to process the query 
(server-side
                #  time limit). default: 20
                #
                #  LDAP_OPT_TIMELIMIT is set to this value.
                timelimit = 3

                #
                #  seconds to wait for response of the server. 
(network
                #   failures) default: 10
                #
                #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
                net_timeout = 1
                tls {
                        # Set this to 'yes' to use TLS encrypted 
connections
                        # to the LDAP database by using the StartTLS 
extended
                        # operation.
                        #
                        # The StartTLS operation is supposed to be
                        # used with normal ldap connections instead of
                        # using ldaps (port 689) connections
                        start_tls = no

                        # cacertfile    = /path/to/cacert.pem
                        # cacertdir             = /path/to/ca/dir/
                        # certfile              = /path/to/radius.crt
                        # keyfile               = /path/to/radius.key
                        # randfile              = /path/to/rnd

                        #  Certificate Verification requirements.  Can
    

  
be:
                        #    "never" (don't even bother trying)
                        #    "allow" (try, but don't fail if 
the cerificate
                        #               can't be verified)
                        #    "demand" (fail if the 
certificate doesn't
verify.)
                        #
                        #       The default is "allow"
                        # require_cert  = "demand"
                }

                # default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
                # profile_attribute = "radiusProfileDn"
                # access_attr = "dialupAccess"

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${confdir}/ldap.attrmap

                #  Set password_attribute = nspmPassword to get the
                #  user's password from a Novell eDirectory
                #  backend. This will work ONLY IF FreeRADIUS has been
                #  built with the --with-edir configure option.
                #
                # password_attribute = userPassword
    
Thanks for the tip - tried it and it didnt work

Worth a try tho - so thanks

David

rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details
       expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
       expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
 rad_check_password:  Found Auth-Type
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with 
Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known 
good"               !!!
!!! clear text password is in Cleartext-Password, and not in 
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "p455w0rd"
rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo"
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): 
[belld/p455w0rd] (from client 212.95.252.25 port 0)
 Found Post-Auth-Type Reject
+- entering group REJECT
       expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 17 to 212.95.252.25 port 32116
Waking up in 4.9 seconds.
Cleaning up request 0 ID 17 with timestamp +3
Ready to process requests.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html