David W Bell wrote:
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=Administrator,dc=dxi,dc=net"
password = trPic4n03
basedn = "dc=dxi,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the
StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the
cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't
verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile =
"cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "p455w0rd"
rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo"
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 17 to 212.95.252.25 port 32116
Waking up in 4.9 seconds.
Cleaning up request 0 ID 17 with timestamp +3
Ready to process requests.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Looking at this it seems that the LDAP record is holding the password
with a certain encryption and that Radius needs to be told to encrypt
the password it has passed to it in that format.
Anyone know what the LDAP encryption would be, and how to influence
RADIUS's treatment of the password.
David
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Now fixed.
All I had to do in the end was add the line for "userPassword" and then
change this from no to yes
pap {
auto_header = yes
}
in my radiusd.conf file which allows radius to work out how to encrypt
the password - in this case I *THINK* against a /etc/shadow format hash
[EMAIL PROTECTED]:~$ radtest belld p455w0rd 212.95.255.242 10 testing
Sending Access-Request of id 129 to 212.95.255.242 port 1812
User-Name = "belld"
User-Password = "p455w0rd"
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 212.95.255.242:1812, id=129,
length=20
Thanks for everyones help in this
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
