Are you sure you don't get CHAP password from the NAS?
/Ingvar
-----Original Message-----
From: Frederic Gargula [mailto:[EMAIL PROTECTED]]
Sent: den 7 februari 2001 16:26
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; Robin Gruyters; Claude Iyi Dogan
Subject: (RADIATOR) LDAP with MIMEBASE64 and MD5 trouble
Hi all,
I'm testing authentication with Radiator 2.17.1 on OpenLDAP 1.2.11 (each
on a separate sever, both on a private testing network), and I have
trouble with MD5 encryption.
On the LDAP server, passwords are stored in the form :
{MD5}ZviHb9U7k5r2YaTNG6QuTA== [this format is known as MD5 with MIME]
Following the documentation, and particulary the sections 13.1.1 and
13.1.2, Radiator supports this encrypted format for both 'User-Password'
and 'Encrypted-Password' check items.
I've tried both, and I have :
-using 'User-Password' :
>
> Tue Feb 6 10:19:12 2001: DEBUG: Handling with Radius::AuthLDAP2
> Tue Feb 6 10:19:12 2001: DEBUG: Connecting to 192.168.100.10, port 389
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got result for
> [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got userpassword: {MD5}ZviHb9U7k5r2YaTNG6QuTA==
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got idletime: 0
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ippool: 1
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
> Tue Feb 6 10:19:12 2001: DEBUG: LDAP got iproutemetric: 2
> Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 looks for match with
>[EMAIL PROTECTED]
> Tue Feb 6 10:19:12 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password
-using 'Encrypted-Password' :
> Tue Feb 6 10:50:25 2001: DEBUG: Handling with Radius::AuthLDAP2
> Tue Feb 6 10:50:25 2001: DEBUG: Connecting to 192.168.100.10, port 389
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got result for
> [EMAIL PROTECTED],ou=users,domain=easynet.fr,vip=easynet-fr,o=easynet.net
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got userpassword:{MD5}ZviHb9U7k5r2YaTNG6QuTA==
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got idletime: 0
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ippool: 1
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got ipnetmask: 255.255.255.255
> Tue Feb 6 10:50:25 2001: DEBUG: LDAP got iproutemetric: 2
> Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 looks for match with
> [EMAIL PROTECTED]
> Tue Feb 6 10:50:25 2001: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted password
I'm sure of my password, and I don't understand why Radiator still
rejects my requests.
I've seen many past posts in this mailing list, and I remember Robin
Gruyters's one, on Jun 13 2000 :
> hi,
>
> Because we use in our LDAP for password md5 with MIME64
> (userpassword={MD5}qP0OV/oViFka8YbFMWEWeg==)
> We had to make some changes in the Radius.pm file. Here is a patch:
>
> --- Radius.pm Tue Jun 13 10:25:10 2000
> +++ Radiusmd5.pm Tue Jun 13 10:26:12 2000
> @@ -708,6 +708,18 @@
> # via Apache::AuthenRadius or similar
> $result = &check_digest_password($user, $submitted_pw,
> $pw);
> }
> + elsif ($pw =~ /^{MD5}/)
> + {
> + require MIME::Base64;
> + require Digest::MD5;
> + my $context = new MD5;
> + $context->reset();
> + $context->add("$submitted_pw");
> +
> + my $tmppw = "{MD5}" .
> MIME::Base64::encode_base64($context->digest());
> + chomp($tmppw);
> + $result = ($tmppw eq $pw);
> + }
> else
> {
> # Just ordinary old plaintext, look for an exact match
>
I don't understand why he has to patch Radius.pm, because following the
Class Hierarchy on section 17.5, the AuthLDAP2 inherits from
AuthGeneric.
Nowhere else the {MD5} encryption appears :
morrison:/usr/local/src/Radiator-2.17.1/Radius$ grep "{MD5}" *
AuthGeneric.pm: elsif ($pw =~ /^{MD5}/)
AuthGeneric.pm: $cmp_pass = '{MD5}' .
MIME::Base64::encode_base64($md5->digest());
AuthGeneric.pm: $cmp_pass = "{MD5}" . $md5->hexdigest();
I've put my config file in attachment.
Is the inheritance working ?
Does anyone have any idea for my trouble ?
--
Frederic Gargula
Systems Designer
Easynet France
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
