> On Sat, Mar 10, 2012 at 5:29 AM, <[email protected]> wrote:
>>> So to save lots of time and configuration problem: does your LDAP
>>> store user passwords in clear text or any "common" hash (e.g. md5,
>>> unix)? If yes, AND you know what the LDAP attribute is, you don't even
>>> need an LDAP section in authenticate.
>>
>> Mostly crypt, but I've seen a few SSHA hashes. I know the ldap attribute as
>> well. Assuming those hashes are "common" enough, what do I need to do?
>
> If the hash is supported (see
> http://wiki.freeradius.org/Protocol%20Compatibility) , you only need
> to make sure FR sees it in the right place. See ldap.atrmap.
>
>>
>> I should point out that I had been using:
>>
>> DEFAULT Auth-Type = Ldap
>>
>> In the users file as well on the two older servers, despite docs that say
>> that
>> it
>> is "almost always wrong", but it was the only way we got it working.
>>
>
> If you have the attribute, and the hash is supported, you shouldn't need that.
I've taken that out on the new, 2.1.12 install and now a typical DEFAULT entry
looks like this:
DEFAULT Group == "FOO", Pool-Name :="FOO_pool"
It seems to instantiate the module ok:
Module: Linked to module rlm_ippool
Module: Instantiating module "FOO_pool" from file /usr/etc/raddb/radiusd.conf
ippool FOO_pool {
session-db = "/usr/etc/raddb/db.FOO_ippool"
ip-index = "/usr/etc/raddb/db.FOO_ipindex"
key = "%{NAS-IP-Address} %{NAS-Port}"
range-start = 172.17.0.101
range-stop = 172.17.0.253
netmask = 255.255.255.0
cache-size = 251
override = yes
maximum-timeout = 0
The Access-Request packet looks ok:
Framed-Protocol = PPP
User-Name = "someuser"
User-Password = "somepassword"
NAS-Port-Type = Virtual
NAS-Port = 2
NAS-Port-Id = "Uniq-Sess-ID2"
Service-Type = Framed-User
NAS-IP-Address = some pptp cisco device
LDAP authentication then succeeds as it should.
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = ldap1
LDAP bind is then successful as it should be, but then:
# Executing section post-auth from file /usr/etc/raddb/sites-enabled/default
[FOO_pool] Could not find Pool-Name attribute.
++[FOO_pool] returns noop
I assume I must be doing something wrong now with the users file entry. The
old,
working one was this:
DEFAULT Group == FOO, Pool-Name :="FOO_pool", Auth-Type = Ldap
Framed-Protocol == PPP,
Framed-Compression = Van-Jacobson-TCP-IP
The new one is currently:
DEFAULT Group == "FOO", Pool-Name :="FOO_pool"
I have tried the Framed-Protocol=PPP (is this still desired for PPTP, BTW?), I
have tried setting:
Service-Type = Framed-User
At the beginning and end of the line, same for "Login-User", but the "Could not
find Pool-Name attribute" persists. The config files are all the same as the
older versions (2.1.09-.10). The pool name is listed in the accounting and
post-auth sections of sites-enabled/default.
Appreciate any clues as to what I missed.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
