Re: rlm-ldap error for chap
Eric Eric wrote: with Cleartext-password or User-Password I have the same error. radius -x and my configs for chap are here. I searched a lot and test it but not found why it can't find clear text password. Should I add other thing? or change another file? Does your database have a clear-text password for the user? It looks like the answer is no. It worked for pap and I added : in users : DEFAULT Client-IP-Address == 10.10.10.2 , Auth-Type := Vpn, Autz-Type := Vpn, Post-Auth-Type := Vpn, Session-type := Vpn I don't see why all that is necessary. in radius.conf: ldap ldap-Vpn{ password_attribute = userPassword password_header = {clear} Well... it's not finding the userPassword attribute in LDAP. Auth-Type Vpn{ chap That makes no sense. You've added a LOT to the server for little value. Try this: 1) start with a default install / configuration files 2) configure LDAP 3) get PAP working 4) do NOTHING ELSE until you get PAP working 5) get CHAP working (radclient will do this) 6) THEN go customize the heck out of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
I owe you an apology, I said not to edit /etc/raddb/ldap.attrmap, but you do. I always forget that the clear text password mapping is not in ldap.attrmap by default, I assume that because of the inherent security risks. By forcing you to add it you'll be forcefully aware of what you've done. Here's the issue, you don't want unprivileged user's from reading someones password from the directory. It's vital you protect the clear text password with some type of access control in your ldap server. How you do that depends on the particular ldap server you're using. You might consider using precomputed hashes such as LT and NT. That would mitigate the exposure of a clear text password, but hashes should be protected as well by access control. Now to make matters a touch bit more complicated FreeRADIUS changed how it accessed the clear text password in its set of attributes. In older versions of FreeRADIUS it was known as User-Password, but that produced an unfortunate ambiguity and it was later modified to be Cleartext-Password, I'm sorry but I don't remember the version this was modified in. For old versions of FreeRADIUS you'll need this in ldap.attrmap checkItem User-Password userPassword For modern versions of FreeRADIUS you'll need this in ldap.attrmap checkItem Cleartext-Password userPassword If you're still having problems then please follow-up with the full contents of your config file (not snippets) and the output of radiusd -X. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
Hi, Now to make matters a touch bit more complicated FreeRADIUS changed how it accessed the clear text password in its set of attributes. In older versions of FreeRADIUS it was known as User-Password, but that produced an unfortunate ambiguity and it was later modified to be Cleartext-Password, I'm sorry but I don't remember the version this was modified in. version 1.1.4 brought this into play. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
Excuse me my reply was incomplete and sent with error. I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = {clear} and without it. but error is the same as before. --- On Tue, 2/23/10, Eric Eric eric121...@yahoo.com wrote: From: Eric Eric eric121...@yahoo.com Subject: rlm-ldap error for chap To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, February 23, 2010, 10:31 AM I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = {clear} and without it. b --- On Tue, 2/23/10, Fajar A. Nugraha fa...@fajar.net wrote: From: Fajar A. Nugraha fa...@fajar.net Subject: Re: rlm-ldap error for chap To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tuesday, February 23, 2010, 6:47 AM On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password is the cleartext password there? ldap ldap-Vpn{ password_attribute = userPassword password_header = {clear} } does the cleartext password have a header? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Inline Attachment Follows- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On 02/23/2010 01:32 AM, Eric Eric wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap What version of FreeRADIUS are you running? Normally it's the first thing in the debug output, except for old versions. What does an ldap search of the test user's dn return? (use the ldapsearch command line utility). My guess is there isn't an attribute called userPassword. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On 02/23/2010 05:31 AM, Eric Eric wrote: I changed Cleartext-Password in ldap.attrmap to User-Password Don't do that, that's got nothing to do with finding the user's password in your directory. It's the password_attribute in your ldap config which controls how to find the users password in your directory. But first you must find the user in your directory, which is controlled by the basedn and filter ldap config items. What are they set to and what does ldapsearch return when you pass ldapsearch the same basedn and filter? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm-ldap error for chap
On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote: Hi I want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password is the cleartext password there? ldap ldap-Vpn{ password_attribute = userPassword password_header = {clear} } does the cleartext password have a header? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html