Alan DeKok wrote:
password to the server. The server looks up the user in a database, and
(perhaps) finds a SHA hashed password. The server then SHA hashes the
password supplied by the client, and compares it to the SHA password
from the database.
In that case, something is *really* wrong with my setup and I have no
idea why. I can only authenticate if the password in OpenLDAP is
cleartext, but never if it's hashed. debug output, radiud.conf (modules
ldap section), sites-enable/default follows.
### debug ###
rad_recv: Access-Request packet from host 127.0.0.1 port 62806, id=99,
length=57
User-Name = "user1"
User-Password = "abc123"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
expand: (uid=%u) -> (uid=user1)
expand: dc=---,dc=edu,dc=my -> dc=---,dc=edu,dc=my
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=---,dc=edu,dc=my/### to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=---,dc=edu,dc=my, with filter (uid=user1)
rlm_ldap: checking if remote access for user1 is allowed by radiusFilterId
rlm_ldap: Added SHA1-Password = iEPX+SQWIR3p67lj/0zigSWTKHg= in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password
== "{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg="
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = "1 "
rlm_ldap: user user1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [user1/abc123] (from client localhost port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 99 to 127.0.0.1 port 62806
Finished request 0.
### radiusd.conf ###
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
}
$INCLUDE eap.conf
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
ldap {
server = "127.0.0.1"
identity = "cn=Manager,dc=iiu,dc=edu,dc=my"
password = alamak
basedn = "dc=iiu,dc=edu,dc=my"
base_filter = "(objectclass=radiusprofile)"
access_attr = "radiusFilterId"
authtype = ldap
ldap_connections_number = 5
timeout = 20
timelimit = 15
net_timeout = 10
tls {
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = yes
set_auth_type = yes
auto_header = yes
password_header = "{SHA}"
password_attribute = userPassword
}
### sites-enabled/default ###
authorize {
preprocess
ldap
chap
mschap
suffix
eap
#files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
unix
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
