Just had a look at your ldap antries again. This doesn't look right: userPassword:: dGVzdGVy
Shouldn't there be just one colon? Ivan Kalik Kalik Informatika ISP > You can add NT / LM pairs to each LDAP user object. You must include the > samba.schema into the ldap server schemas. > > Ex: > > sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C > sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE > > > This way pptp MSCHAP auth will work. > > > Nelson Vale > > > On Thursday 08 October 2009 12:53:21 tede wrote: >> Ivan Kalik wrote: >> >> Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter >> >> (uid=light) >> >> Debug: rlm_ldap: No default NMAS login sequence >> >> Debug: rlm_ldap: looking for check items in directory... >> >> Debug: rlm_ldap: looking for reply items in directory... >> >> Debug: WARNING: No "known good" password was found in LDAP. Are you >> >> sure that the user is configured correctly? >> > >> > Hm, try adding mapping for Cleartext-Password as userPassword to >> > ldap.attrmap. >> > >> > Ivan Kalik >> > Kalik Informatika ISP >> > >> > - >> > List info/subscribe/unsubscribe? See >> > http://www.freeradius.org/list/users.html >> >> Hi Ivan, first of all, thanks for answering me :) >> >> So, here is the result after adding mapping for Cleartext-Password as >> userPassword, >> as we can see in the radius mapping part of the debug : >> >> >> Info: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Oct >> 3 >> 2009 at 19:16:29 >> Info: Copyright (C) 1999-2008 The FreeRADIUS server project and >> contributors. >> Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR >> A >> Info: PARTICULAR PURPOSE. >> Info: You may redistribute copies of FreeRADIUS under the terms of the >> Info: GNU General Public License. >> Info: Starting - reading configuration files ... >> Debug: including configuration file /etc/freeradius/radiusd.conf >> Debug: including configuration file /etc/freeradius/clients.conf >> Debug: including configuration file /etc/freeradius/policy.conf >> Debug: including files in directory /etc/freeradius/sites-enabled/ >> Debug: including configuration file >> /etc/freeradius/sites-enabled/default >> Debug: including configuration file >> /etc/freeradius/sites-enabled/inner-tunnel >> Debug: including dictionary file /etc/freeradius/dictionary >> Debug: main { >> Debug: prefix = "/usr" >> Debug: localstatedir = "/var" >> Debug: logdir = "/var/log/freeradius" >> Debug: libdir = "/usr/lib/freeradius" >> Debug: radacctdir = "/var/log/freeradius/radacct" >> Debug: hostname_lookups = no >> Debug: max_request_time = 30 >> Debug: cleanup_delay = 5 >> Debug: max_requests = 1024 >> Debug: allow_core_dumps = no >> Debug: pidfile = "/var/run/freeradius/freeradius.pid" >> Debug: user = "freerad" >> Debug: group = "freerad" >> Debug: checkrad = "/usr/sbin/checkrad" >> Debug: debug_level = 0 >> Debug: proxy_requests = yes >> Debug: security { >> Debug: max_attributes = 200 >> Debug: reject_delay = 1 >> Debug: status_server = yes >> Debug: } >> Debug: } >> Debug: client localhost { >> Debug: ipaddr = 127.0.0.1 >> Debug: require_message_authenticator = no >> Debug: secret = "hometest" >> Debug: nastype = "other" >> Debug: } >> Debug: client 192.168.0.0/24 { >> Debug: require_message_authenticator = no >> Debug: secret = "hometest" >> Debug: shortname = "private-network-1" >> Debug: } >> Debug: radiusd: #### Loading Realms and Home Servers #### >> Debug: radiusd: #### Instantiating modules #### >> Debug: instantiate { >> Debug: (Loaded rlm_exec, checking if it's valid) >> Debug: Module: Linked to module rlm_exec >> Debug: Module: Instantiating exec >> Debug: exec { >> Debug: wait = yes >> Debug: input_pairs = "request" >> Debug: shell_escape = yes >> Debug: } >> Debug: (Loaded rlm_expr, checking if it's valid) >> Debug: Module: Linked to module rlm_expr >> Debug: Module: Instantiating expr >> Debug: (Loaded rlm_expiration, checking if it's valid) >> Debug: Module: Linked to module rlm_expiration >> Debug: Module: Instantiating expiration >> Debug: expiration { >> Debug: reply-message = "Password Has Expired " >> Debug: } >> Debug: (Loaded rlm_logintime, checking if it's valid) >> Debug: Module: Linked to module rlm_logintime >> Debug: Module: Instantiating logintime >> Debug: logintime { >> Debug: reply-message = "You are calling outside your allowed timespan >> " >> Debug: minimum-timeout = 60 >> Debug: } >> Debug: } >> Debug: radiusd: #### Loading Virtual Servers #### >> Debug: server inner-tunnel { >> Debug: modules { >> Debug: Module: Checking authenticate {...} for more modules to load >> Debug: (Loaded rlm_pap, checking if it's valid) >> Debug: Module: Linked to module rlm_pap >> Debug: Module: Instantiating pap >> Debug: pap { >> Debug: encryption_scheme = "auto" >> Debug: auto_header = no >> Debug: } >> Debug: (Loaded rlm_chap, checking if it's valid) >> Debug: Module: Linked to module rlm_chap >> Debug: Module: Instantiating chap >> Debug: (Loaded rlm_mschap, checking if it's valid) >> Debug: Module: Linked to module rlm_mschap >> Debug: Module: Instantiating mschap >> Debug: mschap { >> Debug: use_mppe = yes >> Debug: require_encryption = no >> Debug: require_strong = no >> Debug: with_ntdomain_hack = no >> Debug: } >> Debug: (Loaded rlm_unix, checking if it's valid) >> Debug: Module: Linked to module rlm_unix >> Debug: Module: Instantiating unix >> Debug: unix { >> Debug: radwtmp = "/var/log/freeradius/radwtmp" >> Debug: } >> Debug: (Loaded rlm_ldap, checking if it's valid) >> Debug: Module: Linked to module rlm_ldap >> Debug: Module: Instantiating ldap >> Debug: ldap { >> Debug: server = "localhost" >> Debug: port = 389 >> Debug: password = "" >> Debug: identity = "" >> Debug: net_timeout = 1 >> Debug: timeout = 4 >> Debug: timelimit = 3 >> Debug: tls_mode = no >> Debug: start_tls = no >> Debug: tls_require_cert = "allow" >> Debug: tls { >> Debug: start_tls = no >> Debug: require_cert = "allow" >> Debug: } >> Debug: basedn = "ou=vpn,dc=home" >> Debug: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" >> Debug: base_filter = "(objectclass=radiusprofile)" >> Debug: password_attribute = "userPassword" >> Debug: auto_header = yes >> Debug: access_attr_used_for_allow = yes >> Debug: groupname_attribute = "cn" >> Debug: groupmembership_filter = >> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Group >>OfUniqueNames)(uniquemember=%{Ldap-UserDn})))" Debug: >>dictionary_mapping >> = >> "/etc/freeradius/ldap.attrmap" >> Debug: ldap_debug = 0 >> Debug: ldap_connections_number = 5 >> Debug: compare_check_items = no >> Debug: do_xlat = yes >> Debug: edir_account_policy_check = no >> Debug: set_auth_type = no >> Debug: } >> Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group >> Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap >> Debug: rlm_ldap: reading ldap<->radius mappings from file >> /etc/freeradius/ldap.attrmap >> Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ >> Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ >> Debug: rlm_ldap: LDAP digestHA1 mapped to RADIUS Digest-HA1 >> Debug: rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password >> Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type >> Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS >> Simultaneous-Use >> Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS >> Called-Station-Id >> Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS >> Calling-Station-Id >> Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password >> Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password >> Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password >> Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password >> Debug: rlm_ldap: LDAP ntHash mapped to RADIUS NT-Hash >> Debug: rlm_ldap: LDAP lmHash mapped to RADIUS LM-Hash >> Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT >> Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration >> Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address >> Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type >> Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS >> Framed-Protocol >> Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS >> Framed-IP-Address >> Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS >> Framed-IP-Netmask >> Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route >> Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS >> Framed-Routing >> Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id >> Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU >> Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS >> Framed-Compression >> Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host >> Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service >> Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port >> Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS >> Callback-Number >> Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id >> Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS >> Framed-IPX-Network >> Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class >> Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS >> Session-Timeout >> Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout >> Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS >> Termination-Action >> Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS >> Login-LAT-Service >> Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node >> Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS >> Login-LAT-Group >> Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS >> Framed-AppleTalk-Link >> Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS >> Framed-AppleTalk-Network >> Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS >> Framed-AppleTalk-Zone >> Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit >> Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port >> Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message >> Debug: conns: 0x85c8988 >> Debug: Module: Checking authorize {...} for more modules to load >> Debug: (Loaded rlm_realm, checking if it's valid) >> Debug: Module: Linked to module rlm_realm >> Debug: Module: Instantiating suffix >> Debug: realm suffix { >> Debug: format = "suffix" >> Debug: delimiter = "@" >> Debug: ignore_default = no >> Debug: ignore_null = no >> Debug: } >> Debug: (Loaded rlm_files, checking if it's valid) >> Debug: Module: Linked to module rlm_files >> Debug: Module: Instantiating files >> Debug: files { >> Debug: usersfile = "/etc/freeradius/users" >> Debug: acctusersfile = "/etc/freeradius/acct_users" >> Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users" >> Debug: compat = "no" >> Debug: } >> Debug: Module: Checking session {...} for more modules to load >> Debug: (Loaded rlm_radutmp, checking if it's valid) >> Debug: Module: Linked to module rlm_radutmp >> Debug: Module: Instantiating radutmp >> Debug: radutmp { >> Debug: filename = "/var/log/freeradius/radutmp" >> Debug: username = "%{User-Name}" >> Debug: case_sensitive = yes >> Debug: check_with_nas = yes >> Debug: perm = 384 >> Debug: callerid = yes >> Debug: } >> Debug: Module: Checking post-auth {...} for more modules to load >> Debug: (Loaded rlm_attr_filter, checking if it's valid) >> Debug: Module: Linked to module rlm_attr_filter >> Debug: Module: Instantiating attr_filter.access_reject >> Debug: attr_filter attr_filter.access_reject { >> Debug: attrsfile = "/etc/freeradius/attrs.access_reject" >> Debug: key = "%{User-Name}" >> Debug: } >> Debug: } >> Debug: } >> Debug: server { >> Debug: modules { >> Debug: Module: Checking authenticate {...} for more modules to load >> Debug: Module: Checking authorize {...} for more modules to load >> Debug: (Loaded rlm_preprocess, checking if it's valid) >> Debug: Module: Linked to module rlm_preprocess >> Debug: Module: Instantiating preprocess >> Debug: preprocess { >> Debug: huntgroups = "/etc/freeradius/huntgroups" >> Debug: hints = "/etc/freeradius/hints" >> Debug: with_ascend_hack = no >> Debug: ascend_channels_per_line = 23 >> Debug: with_ntdomain_hack = no >> Debug: with_specialix_jetstream_hack = no >> Debug: with_cisco_vsa_hack = no >> Debug: with_alvarion_vsa_hack = no >> Debug: } >> Debug: Module: Checking preacct {...} for more modules to load >> Debug: (Loaded rlm_acct_unique, checking if it's valid) >> Debug: Module: Linked to module rlm_acct_unique >> Debug: Module: Instantiating acct_unique >> Debug: acct_unique { >> Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, >> Client-IP-Address, NAS-Port" >> Debug: } >> Debug: Module: Checking accounting {...} for more modules to load >> Debug: (Loaded rlm_detail, checking if it's valid) >> Debug: Module: Linked to module rlm_detail >> Debug: Module: Instantiating detail >> Debug: detail { >> Debug: detailfile = >> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" >> Debug: header = "%t" >> Debug: detailperm = 384 >> Debug: dirperm = 493 >> Debug: locking = no >> Debug: log_packet_header = no >> Debug: } >> Debug: Module: Instantiating attr_filter.accounting_response >> Debug: attr_filter attr_filter.accounting_response { >> Debug: attrsfile = "/etc/freeradius/attrs.accounting_response" >> Debug: key = "%{User-Name}" >> Debug: } >> Debug: Module: Checking session {...} for more modules to load >> Debug: Module: Checking post-auth {...} for more modules to load >> Debug: } >> Debug: } >> Debug: radiusd: #### Opening IP addresses and Ports #### >> Debug: listen { >> Debug: type = "auth" >> Debug: ipaddr = * >> Debug: port = 0 >> Debug: } >> Debug: listen { >> Debug: type = "acct" >> Debug: ipaddr = * >> Debug: port = 0 >> Debug: } >> Debug: main { >> Debug: snmp = no >> Debug: smux_password = "" >> Debug: snmp_write_access = no >> Debug: } >> Debug: Listening on authentication address * port 1812 >> Debug: Listening on accounting address * port 1813 >> Debug: Listening on proxy address * port 1814 >> Debug: Ready to process requests. >> rad_recv: Access-Request packet from host 127.0.0.1 port 58943, id=90, >> length=144 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> User-Name = "light" >> MS-CHAP-Challenge = 0x0478587b0fbb0f95a407ca180b2f8a37 >> MS-CHAP2-Response = >> 0xd300647b6787cf9c9d95e042b5ba55d38d180000000000000000261560ec809d3c64cefc0 >>34d7af5be715a3570723e5dbe2f Calling-Station-Id = "192.168.0.1" >> NAS-IP-Address = 0x0101 >> NAS-Port = 0 >> Debug: +- entering group authorize >> Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for >> request 0 >> Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) >> for request 0 >> Debug: ++[preprocess] returns ok >> Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 >> Debug: modsingle[authorize]: returned from chap (rlm_chap) for request >> 0 >> Debug: ++[chap] returns noop >> Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 >> Debug: rlm_ldap: - authorize >> Debug: rlm_ldap: performing user authorization for light >> Debug: WARNING: Deprecated conditional expansion ":-". See "man unlang" >> for details >> Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=light) >> Debug: expand: ou=vpn,dc=home -> ou=vpn,dc=home >> Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 >> Debug: rlm_ldap: ldap_get_conn: Got Id: 0 >> Debug: rlm_ldap: attempting LDAP reconnection >> Debug: rlm_ldap: (re)connect to localhost:389, authentication 0 >> Debug: rlm_ldap: bind as / to localhost:389 >> Debug: rlm_ldap: waiting for bind result ... >> Debug: rlm_ldap: Bind was successful >> Debug: rlm_ldap: performing search in ou=vpn,dc=home, with filter >> (uid=light) >> Debug: rlm_ldap: No default NMAS login sequence >> Debug: rlm_ldap: looking for check items in directory... >> Debug: rlm_ldap: looking for reply items in directory... >> Debug: WARNING: No "known good" password was found in LDAP. Are you >> sure >> that the user is configured correctly? >> Debug: rlm_ldap: user light authorized to use remote access >> Debug: rlm_ldap: ldap_release_conn: Release Id: 0 >> Debug: modsingle[authorize]: returned from ldap (rlm_ldap) for request >> 0 >> Debug: ++[ldap] returns ok >> Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 >> Debug: rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = >> mschap' >> Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for >> request 0 >> Debug: ++[mschap] returns ok >> Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 >> Debug: rlm_realm: No '@' in User-Name = "light", looking up realm >> NULL >> Debug: rlm_realm: No such realm "NULL" >> Debug: modsingle[authorize]: returned from suffix (rlm_realm) for >> request >> 0 >> Debug: ++[suffix] returns noop >> Debug: modsingle[authorize]: calling unix (rlm_unix) for request 0 >> Debug: modsingle[authorize]: returned from unix (rlm_unix) for request >> 0 >> Debug: ++[unix] returns notfound >> Debug: modsingle[authorize]: calling files (rlm_files) for request 0 >> Debug: modsingle[authorize]: returned from files (rlm_files) for >> request >> 0 Debug: ++[files] returns noop >> Debug: modsingle[authorize]: calling expiration (rlm_expiration) for >> request 0 >> Debug: modsingle[authorize]: returned from expiration (rlm_expiration) >> for request 0 >> Debug: ++[expiration] returns noop >> Debug: modsingle[authorize]: calling logintime (rlm_logintime) for >> request 0 >> Debug: modsingle[authorize]: returned from logintime (rlm_logintime) >> for >> request 0 >> Debug: ++[logintime] returns noop >> Debug: modsingle[authorize]: calling pap (rlm_pap) for request 0 >> Debug: rlm_pap: WARNING! No "known good" password found for the user. >> Authentication may fail because of this. >> Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 0 >> Debug: ++[pap] returns noop >> Debug: rad_check_password: Found Auth-Type mschap >> Debug: auth: type "MSCHAP" >> Debug: +- entering group MS-CHAP >> Debug: modsingle[authenticate]: calling mschap (rlm_mschap) for >> request 0 >> Debug: rlm_mschap: No Cleartext-Password configured. Cannot create >> LM-Password. >> Debug: rlm_mschap: No Cleartext-Password configured. Cannot create >> NT-Password. >> Debug: rlm_mschap: Told to do MS-CHAPv2 for light with NT-Password >> Debug: rlm_mschap: FAILED: No NT/LM-Password. Cannot perform >> authentication. >> Debug: rlm_mschap: FAILED: MS-CHAP2-Response is incorrect >> Debug: modsingle[authenticate]: returned from mschap (rlm_mschap) for >> request 0 >> Debug: ++[mschap] returns reject >> Debug: auth: Failed to validate the user. >> Auth: Login incorrect: [light/<via Auth-Type = mschap>] (from client >> localhost port 0 cli 192.168.0.1) >> Debug: Found Post-Auth-Type Reject >> Debug: +- entering group REJECT >> Debug: modsingle[post-auth]: calling attr_filter.access_reject >> (rlm_attr_filter) for request 0 >> Debug: expand: %{User-Name} -> light >> Debug: attr_filter: Matched entry DEFAULT at line 11 >> Debug: modsingle[post-auth]: returned from attr_filter.access_reject >> (rlm_attr_filter) for request 0 >> Debug: ++[attr_filter.access_reject] returns updated >> Debug: Delaying reject of request 0 for 1 seconds >> Debug: Going to the next request >> Debug: Waking up in 0.9 seconds. >> Debug: Sending delayed reject for request 0 >> Sending Access-Reject of id 90 to 127.0.0.1 port 58943 >> Debug: Waking up in 4.9 seconds. >> Debug: Cleaning up request 0 ID 90 with timestamp +7 >> Debug: Ready to process requests. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
