... So server translates User-Password to Cleartext-Password and the
check fails since the password is encrypted.
Understood, yes.
So at the moment the server is reading your password hash out of the
LDAP directory and treating it as a plaintext password string. You can
test this by providing the password hash as your password during PAP
authentication.
I Noticed from that sample hash, your passwords have the correct {SSHA}
prefix, this means you should be able to use
ldap {
auto_header = yes
}
And the server will automatically write the hash to the correct internal
attribute. Least thats how it works on ours, and were using an OpenLDAP
setup similar to your.
Configure ldap section to use SSHA-Password as password attribute
instead.
That's what I believed I HAD done with the following, from the diff of
my radiusd.conf file against the default radiusd.conf that ships with
2.0.3, orignally included after the signature in my first message:
@@ -820,7 +825,8 @@
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
- # password_attribute = userPassword
+ password_attribute = userPassword
+ password_radius_attribute = "SSHA-Password"
I have no idea what password_radius_attribute is ?? Is that a legacy
configuration item ?
If your password is indeed stored in the LDAP 'userPassword' attribute
which is the default then:
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
password_attribute = userPassword
should suffice.
The other way you can do this is by using the LDAP module as an
authentication module. When used in the authentication section it'll
attempt to bind to the LDAP server using the users UID and Password. I
wouldn't recommend it in your case though, as binds are comparatively
slow, and it'll only work with PAP.
If the above is not the correct way to accomplish what I am trying to
do, I would be very grateful if someone would point me in the right
direction to find what is the correct way.
The radtest test against a user in the LDAP data succeeds. How do I get
from here to having successful authentication through TTLS against the
same LDAP data, without the above warning?
radtest j_doe '*SANITIZED*' localhost:1814 1 testing123
User-Name = "j_doe"
User-Password = "*SANITIZED*"
NAS-IP-Address = 192.168.7.47
NAS-Port = 1
Older versions of radtest would report receiving "Access-Accept", while
this one silently exists. However, radiusd in this case says:
Ready to process requests.
User-Name = "j_doe"
User-Password = "*SANITIZED*"
NAS-IP-Address = 192.168.7.47
NAS-Port = 1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "j_doe", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for j_doe
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> j_doe
expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(search
filter
trimmed for brevity)) -> (&(cn=j_doe)(search filter trimmed for
brevity))
expand: ou=people,dc=concordia,dc=ca ->
ou=people,dc=concordia,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost boris:389, authentication 0
rlm_ldap: bind as
cn=iits_neg,ou=AdminRoles,dc=concordia,dc=ca/*SANITIZED* to
localhost boris:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=concordia,dc=ca, with filter
(&(cn=j_doe)(search filter trimmed for brevity))
rlm_ldap: Added User-Password =
{SSHA}*SANITIZED*QDmffXBQkU42Wt9x*SANITIZED*==
in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user j_doe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "*SANITIZED*"
rlm_pap: Using SSHA encryption.
rlm_pap: Normalizing SSHA1-Password from base64 encoding
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [j_doe/*SANITIZED*] (from client localhost port 1)
Finished request 0.
Going to the next request
Thanks for following up, and for any additional help ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
