You can add NT / LM pairs to each LDAP user object. You must include the samba.schema into the ldap server schemas.
Ex: sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE This way pptp MSCHAP auth will work. Nelson Vale On Thursday 08 October 2009 12:53:21 tede wrote: > Ivan Kalik wrote: > >> Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter > >> (uid=light) > >> Debug: rlm_ldap: No default NMAS login sequence > >> Debug: rlm_ldap: looking for check items in directory... > >> Debug: rlm_ldap: looking for reply items in directory... > >> Debug: WARNING: No "known good" password was found in LDAP. Are you > >> sure that the user is configured correctly? > > > > Hm, try adding mapping for Cleartext-Password as userPassword to > > ldap.attrmap. > > > > Ivan Kalik > > Kalik Informatika ISP > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > Hi Ivan, first of all, thanks for answering me :) > > So, here is the result after adding mapping for Cleartext-Password as > userPassword, > as we can see in the radius mapping part of the debug : > > > Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct 3 > 2009 at 19:16:29 > Info: Copyright (C) 1999-2008 The FreeRADIUS server project and > contributors. > Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > Info: PARTICULAR PURPOSE. > Info: You may redistribute copies of FreeRADIUS under the terms of the > Info: GNU General Public License. > Info: Starting - reading configuration files ... > Debug: including configuration file /etc/freeradius/radiusd.conf > Debug: including configuration file /etc/freeradius/clients.conf > Debug: including configuration file /etc/freeradius/policy.conf > Debug: including files in directory /etc/freeradius/sites-enabled/ > Debug: including configuration file /etc/freeradius/sites-enabled/default > Debug: including configuration file > /etc/freeradius/sites-enabled/inner-tunnel > Debug: including dictionary file /etc/freeradius/dictionary > Debug: main { > Debug: prefix = "/usr" > Debug: localstatedir = "/var" > Debug: logdir = "/var/log/freeradius" > Debug: libdir = "/usr/lib/freeradius" > Debug: radacctdir = "/var/log/freeradius/radacct" > Debug: hostname_lookups = no > Debug: max_request_time = 30 > Debug: cleanup_delay = 5 > Debug: max_requests = 1024 > Debug: allow_core_dumps = no > Debug: pidfile = "/var/run/freeradius/freeradius.pid" > Debug: user = "freerad" > Debug: group = "freerad" > Debug: checkrad = "/usr/sbin/checkrad" > Debug: debug_level = 0 > Debug: proxy_requests = yes > Debug: security { > Debug: max_attributes = 200 > Debug: reject_delay = 1 > Debug: status_server = yes > Debug: } > Debug: } > Debug: client localhost { > Debug: ipaddr = 127.0.0.1 > Debug: require_message_authenticator = no > Debug: secret = "hometest" > Debug: nastype = "other" > Debug: } > Debug: client 192.168.0.0/24 { > Debug: require_message_authenticator = no > Debug: secret = "hometest" > Debug: shortname = "private-network-1" > Debug: } > Debug: radiusd: #### Loading Realms and Home Servers #### > Debug: radiusd: #### Instantiating modules #### > Debug: instantiate { > Debug: (Loaded rlm_exec, checking if it's valid) > Debug: Module: Linked to module rlm_exec > Debug: Module: Instantiating exec > Debug: exec { > Debug: wait = yes > Debug: input_pairs = "request" > Debug: shell_escape = yes > Debug: } > Debug: (Loaded rlm_expr, checking if it's valid) > Debug: Module: Linked to module rlm_expr > Debug: Module: Instantiating expr > Debug: (Loaded rlm_expiration, checking if it's valid) > Debug: Module: Linked to module rlm_expiration > Debug: Module: Instantiating expiration > Debug: expiration { > Debug: reply-message = "Password Has Expired " > Debug: } > Debug: (Loaded rlm_logintime, checking if it's valid) > Debug: Module: Linked to module rlm_logintime > Debug: Module: Instantiating logintime > Debug: logintime { > Debug: reply-message = "You are calling outside your allowed timespan > " > Debug: minimum-timeout = 60 > Debug: } > Debug: } > Debug: radiusd: #### Loading Virtual Servers #### > Debug: server inner-tunnel { > Debug: modules { > Debug: Module: Checking authenticate {...} for more modules to load > Debug: (Loaded rlm_pap, checking if it's valid) > Debug: Module: Linked to module rlm_pap > Debug: Module: Instantiating pap > Debug: pap { > Debug: encryption_scheme = "auto" > Debug: auto_header = no > Debug: } > Debug: (Loaded rlm_chap, checking if it's valid) > Debug: Module: Linked to module rlm_chap > Debug: Module: Instantiating chap > Debug: (Loaded rlm_mschap, checking if it's valid) > Debug: Module: Linked to module rlm_mschap > Debug: Module: Instantiating mschap > Debug: mschap { > Debug: use_mppe = yes > Debug: require_encryption = no > Debug: require_strong = no > Debug: with_ntdomain_hack = no > Debug: } > Debug: (Loaded rlm_unix, checking if it's valid) > Debug: Module: Linked to module rlm_unix > Debug: Module: Instantiating unix > Debug: unix { > Debug: radwtmp = "/var/log/freeradius/radwtmp" > Debug: } > Debug: (Loaded rlm_ldap, checking if it's valid) > Debug: Module: Linked to module rlm_ldap > Debug: Module: Instantiating ldap > Debug: ldap { > Debug: server = "localhost" > Debug: port = 389 > Debug: password = "" > Debug: identity = "" > Debug: net_timeout = 1 > Debug: timeout = 4 > Debug: timelimit = 3 > Debug: tls_mode = no > Debug: start_tls = no > Debug: tls_require_cert = "allow" > Debug: tls { > Debug: start_tls = no > Debug: require_cert = "allow" > Debug: } > Debug: basedn = "ou=vpn,dc=home" > Debug: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > Debug: base_filter = "(objectclass=radiusprofile)" > Debug: password_attribute = "userPassword" > Debug: auto_header = yes > Debug: access_attr_used_for_allow = yes > Debug: groupname_attribute = "cn" > Debug: groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Group >OfUniqueNames)(uniquemember=%{Ldap-UserDn})))" Debug: dictionary_mapping = > "/etc/freeradius/ldap.attrmap" > Debug: ldap_debug = 0 > Debug: ldap_connections_number = 5 > Debug: compare_check_items = no > Debug: do_xlat = yes > Debug: edir_account_policy_check = no > Debug: set_auth_type = no > Debug: } > Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group > Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap > Debug: rlm_ldap: reading ldap<->radius mappings from file > /etc/freeradius/ldap.attrmap > Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ > Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ > Debug: rlm_ldap: LDAP digestHA1 mapped to RADIUS Digest-HA1 > Debug: rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password > Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type > Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS > Simultaneous-Use > Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS > Called-Station-Id > Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS > Calling-Station-Id > Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password > Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password > Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password > Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password > Debug: rlm_ldap: LDAP ntHash mapped to RADIUS NT-Hash > Debug: rlm_ldap: LDAP lmHash mapped to RADIUS LM-Hash > Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT > Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration > Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address > Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type > Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol > Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS > Framed-IP-Address > Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS > Framed-IP-Netmask > Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route > Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing > Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id > Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU > Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS > Framed-Compression > Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host > Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service > Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port > Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number > Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id > Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS > Framed-IPX-Network > Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class > Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout > Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout > Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS > Termination-Action > Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS > Login-LAT-Service > Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node > Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group > Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS > Framed-AppleTalk-Link > Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS > Framed-AppleTalk-Network > Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS > Framed-AppleTalk-Zone > Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit > Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port > Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message > Debug: conns: 0x85c8988 > Debug: Module: Checking authorize {...} for more modules to load > Debug: (Loaded rlm_realm, checking if it's valid) > Debug: Module: Linked to module rlm_realm > Debug: Module: Instantiating suffix > Debug: realm suffix { > Debug: format = "suffix" > Debug: delimiter = "@" > Debug: ignore_default = no > Debug: ignore_null = no > Debug: } > Debug: (Loaded rlm_files, checking if it's valid) > Debug: Module: Linked to module rlm_files > Debug: Module: Instantiating files > Debug: files { > Debug: usersfile = "/etc/freeradius/users" > Debug: acctusersfile = "/etc/freeradius/acct_users" > Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users" > Debug: compat = "no" > Debug: } > Debug: Module: Checking session {...} for more modules to load > Debug: (Loaded rlm_radutmp, checking if it's valid) > Debug: Module: Linked to module rlm_radutmp > Debug: Module: Instantiating radutmp > Debug: radutmp { > Debug: filename = "/var/log/freeradius/radutmp" > Debug: username = "%{User-Name}" > Debug: case_sensitive = yes > Debug: check_with_nas = yes > Debug: perm = 384 > Debug: callerid = yes > Debug: } > Debug: Module: Checking post-auth {...} for more modules to load > Debug: (Loaded rlm_attr_filter, checking if it's valid) > Debug: Module: Linked to module rlm_attr_filter > Debug: Module: Instantiating attr_filter.access_reject > Debug: attr_filter attr_filter.access_reject { > Debug: attrsfile = "/etc/freeradius/attrs.access_reject" > Debug: key = "%{User-Name}" > Debug: } > Debug: } > Debug: } > Debug: server { > Debug: modules { > Debug: Module: Checking authenticate {...} for more modules to load > Debug: Module: Checking authorize {...} for more modules to load > Debug: (Loaded rlm_preprocess, checking if it's valid) > Debug: Module: Linked to module rlm_preprocess > Debug: Module: Instantiating preprocess > Debug: preprocess { > Debug: huntgroups = "/etc/freeradius/huntgroups" > Debug: hints = "/etc/freeradius/hints" > Debug: with_ascend_hack = no > Debug: ascend_channels_per_line = 23 > Debug: with_ntdomain_hack = no > Debug: with_specialix_jetstream_hack = no > Debug: with_cisco_vsa_hack = no > Debug: with_alvarion_vsa_hack = no > Debug: } > Debug: Module: Checking preacct {...} for more modules to load > Debug: (Loaded rlm_acct_unique, checking if it's valid) > Debug: Module: Linked to module rlm_acct_unique > Debug: Module: Instantiating acct_unique > Debug: acct_unique { > Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port" > Debug: } > Debug: Module: Checking accounting {...} for more modules to load > Debug: (Loaded rlm_detail, checking if it's valid) > Debug: Module: Linked to module rlm_detail > Debug: Module: Instantiating detail > Debug: detail { > Debug: detailfile = > "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > Debug: header = "%t" > Debug: detailperm = 384 > Debug: dirperm = 493 > Debug: locking = no > Debug: log_packet_header = no > Debug: } > Debug: Module: Instantiating attr_filter.accounting_response > Debug: attr_filter attr_filter.accounting_response { > Debug: attrsfile = "/etc/freeradius/attrs.accounting_response" > Debug: key = "%{User-Name}" > Debug: } > Debug: Module: Checking session {...} for more modules to load > Debug: Module: Checking post-auth {...} for more modules to load > Debug: } > Debug: } > Debug: radiusd: #### Opening IP addresses and Ports #### > Debug: listen { > Debug: type = "auth" > Debug: ipaddr = * > Debug: port = 0 > Debug: } > Debug: listen { > Debug: type = "acct" > Debug: ipaddr = * > Debug: port = 0 > Debug: } > Debug: main { > Debug: snmp = no > Debug: smux_password = "" > Debug: snmp_write_access = no > Debug: } > Debug: Listening on authentication address * port 1812 > Debug: Listening on accounting address * port 1813 > Debug: Listening on proxy address * port 1814 > Debug: Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1 port 58943, id=90, > length=144 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "light" > MS-CHAP-Challenge = 0x0478587b0fbb0f95a407ca180b2f8a37 > MS-CHAP2-Response = > 0xd300647b6787cf9c9d95e042b5ba55d38d180000000000000000261560ec809d3c64cefc0 >34d7af5be715a3570723e5dbe2f Calling-Station-Id = "192.168.0.1" > NAS-IP-Address = 0x0101 > NAS-Port = 0 > Debug: +- entering group authorize > Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for > request 0 > Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) > for request 0 > Debug: ++[preprocess] returns ok > Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 > Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 > Debug: ++[chap] returns noop > Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 > Debug: rlm_ldap: - authorize > Debug: rlm_ldap: performing user authorization for light > Debug: WARNING: Deprecated conditional expansion ":-". See "man unlang" > for details > Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=light) > Debug: expand: ou=vpn,dc=home -> ou=vpn,dc=home > Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 > Debug: rlm_ldap: ldap_get_conn: Got Id: 0 > Debug: rlm_ldap: attempting LDAP reconnection > Debug: rlm_ldap: (re)connect to localhost:389, authentication 0 > Debug: rlm_ldap: bind as / to localhost:389 > Debug: rlm_ldap: waiting for bind result ... > Debug: rlm_ldap: Bind was successful > Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter > (uid=light) > Debug: rlm_ldap: No default NMAS login sequence > Debug: rlm_ldap: looking for check items in directory... > Debug: rlm_ldap: looking for reply items in directory... > Debug: WARNING: No "known good" password was found in LDAP. Are you sure > that the user is configured correctly? > Debug: rlm_ldap: user light authorized to use remote access > Debug: rlm_ldap: ldap_release_conn: Release Id: 0 > Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request 0 > Debug: ++[ldap] returns ok > Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 > Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = > mschap' > Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for > request 0 > Debug: ++[mschap] returns ok > Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 > Debug: rlm_realm: No '@' in User-Name = "light", looking up realm NULL > Debug: rlm_realm: No such realm "NULL" > Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request > 0 > Debug: ++[suffix] returns noop > Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0 > Debug: modsingle[authorize]: returned from unix (rlm_unix) for request 0 > Debug: ++[unix] returns notfound > Debug: modsingle[authorize]: calling files (rlm_files) for request 0 > Debug: modsingle[authorize]: returned from files (rlm_files) for request > 0 Debug: ++[files] returns noop > Debug: modsingle[authorize]: calling expiration (rlm_expiration) for > request 0 > Debug: modsingle[authorize]: returned from expiration (rlm_expiration) > for request 0 > Debug: ++[expiration] returns noop > Debug: modsingle[authorize]: calling logintime (rlm_logintime) for > request 0 > Debug: modsingle[authorize]: returned from logintime (rlm_logintime) for > request 0 > Debug: ++[logintime] returns noop > Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 > Debug: rlm_pap: WARNING! No "known good" password found for the user. > Authentication may fail because of this. > Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 > Debug: ++[pap] returns noop > Debug: rad_check_password: Found Auth-Type mschap > Debug: auth: type "MSCHAP" > Debug: +- entering group MS-CHAP > Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for request 0 > Debug: rlm_mschap: No Cleartext-Password configured. Cannot create > LM-Password. > Debug: rlm_mschap: No Cleartext-Password configured. Cannot create > NT-Password. > Debug: rlm_mschap: Told to do MS-CHAPv2 for light with NT-Password > Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform > authentication. > Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for > request 0 > Debug: ++[mschap] returns reject > Debug: auth: Failed to validate the user. > Auth: Login incorrect: [light/<via Auth-Type = mschap>] (from client > localhost port 0 cli 192.168.0.1) > Debug: Found Post-Auth-Type Reject > Debug: +- entering group REJECT > Debug: modsingle[post-auth]: calling attr_filter.access_reject > (rlm_attr_filter) for request 0 > Debug: expand: %{User-Name} -> light > Debug: attr_filter: Matched entry DEFAULT at line 11 > Debug: modsingle[post-auth]: returned from attr_filter.access_reject > (rlm_attr_filter) for request 0 > Debug: ++[attr_filter.access_reject] returns updated > Debug: Delaying reject of request 0 for 1 seconds > Debug: Going to the next request > Debug: Waking up in 0.9 seconds. > Debug: Sending delayed reject for request 0 > Sending Access-Reject of id 90 to 127.0.0.1 port 58943 > Debug: Waking up in 4.9 seconds. > Debug: Cleaning up request 0 ID 90 with timestamp +7 > Debug: Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
