On Fri, 28 Mar 2008, Ivan Kalik wrote:
You have obviously ignored the warnings about storing User-Password attribute:
No, I don't believe that I can be said to have ignored it at all. In fact, I'm under the impresseion that I made very clear in my earlier message that I'm not ignoring this warning. I may not be doing the right thing to deal correctly with what causes it, but that's another matter entirely, and why I am putting myself at the mercy of experts for help. I wrote:
The text "User-Password" appears in exactly the following places in my raddb directory (not counting comment lines): ./attrs.pre-proxy: User-Password =* ANY, ./sql/mysql/dialup.conf: '%{%{User-Password}:-%{Chap-Password}}', \ ./sql/postgresql/dialup.conf: VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())" These files are as shipped with FreeRADIUS-2.0.3. I'm trying to get this done with minimal change to the default configuration, since it appears that's what is expected. Which of the above needs to change? (attrs.pre-proxy?)
... So server translates User-Password to Cleartext-Password and the check fails since the password is encrypted.
Understood, yes.
Configure ldap section to use SSHA-Password as password attribute instead.
That's what I believed I HAD done with the following, from the diff of my radiusd.conf file against the default radiusd.conf that ships with 2.0.3, orignally included after the signature in my first message:
@@ -820,7 +825,8 @@ # Novell may require TLS encrypted sessions before returning # the user's password. # - # password_attribute = userPassword + password_attribute = userPassword + password_radius_attribute = "SSHA-Password"
If the above is not the correct way to accomplish what I am trying to do, I would be very grateful if someone would point me in the right direction to find what is the correct way. The radtest test against a user in the LDAP data succeeds. How do I get from here to having successful authentication through TTLS against the same LDAP data, without the above warning?
radtest j_doe '*SANITIZED*' localhost:1814 1 testing123 User-Name = "j_doe" User-Password = "*SANITIZED*" NAS-IP-Address = 192.168.7.47 NAS-Port = 1 Older versions of radtest would report receiving "Access-Accept", while this one silently exists. However, radiusd in this case says: Ready to process requests. User-Name = "j_doe" User-Password = "*SANITIZED*" NAS-IP-Address = 192.168.7.47 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "j_doe", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for j_doe expand: %{Stripped-User-Name} -> expand: %{User-Name} -> j_doe expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(search filter trimmed for brevity)) -> (&(cn=j_doe)(search filter trimmed for brevity)) expand: ou=people,dc=concordia,dc=ca -> ou=people,dc=concordia,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost boris:389, authentication 0 rlm_ldap: bind as cn=iits_neg,ou=AdminRoles,dc=concordia,dc=ca/*SANITIZED* to localhost boris:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=concordia,dc=ca, with filter (&(cn=j_doe)(search filter trimmed for brevity)) rlm_ldap: Added User-Password = {SSHA}*SANITIZED*QDmffXBQkU42Wt9x*SANITIZED*== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user j_doe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "*SANITIZED*" rlm_pap: Using SSHA encryption. rlm_pap: Normalizing SSHA1-Password from base64 encoding rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [j_doe/*SANITIZED*] (from client localhost port 1) Finished request 0. Going to the next request
Thanks for following up, and for any additional help ... -- ---------------------------------------------------------------------- Sylvain Robitaille [EMAIL PROTECTED] Systems and Network analyst Concordia University Instructional & Information Technology Montreal, Quebec, Canada ---------------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
