subject:"Re\: rlm\-ldap error for chap"

Re: rlm-ldap error for chap

2010-02-27 Thread Alan DeKok

Eric Eric wrote:
 with Cleartext-password or User-Password I have the same error. radius
 -x and my configs for chap are here. I searched a lot and test it but
 not found why it can't find clear text password. Should I add other
 thing? or change another file?

  Does your database have a clear-text password for the user?  It looks
like the answer is no.

 It worked for pap and I added :
 in users :
 
  DEFAULT Client-IP-Address == 10.10.10.2 , Auth-Type := Vpn, Autz-Type
 := Vpn, Post-Auth-Type := Vpn, Session-type := Vpn

  I don't see why all that is necessary.

 in radius.conf:
 ldap ldap-Vpn{

 password_attribute = userPassword
 password_header = {clear}

  Well... it's not finding the userPassword attribute in LDAP.

  Auth-Type Vpn{
 chap

  That makes no sense.  You've added a LOT to the server for little value.

  Try this:

1) start with a default install / configuration files

2) configure LDAP

3) get PAP working

4) do NOTHING ELSE until you get PAP working

5) get CHAP working (radclient will do this)

6) THEN go customize the heck out of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ldap error for chap

2010-02-24 Thread John Dennis

I owe you an apology, I said not to edit /etc/raddb/ldap.attrmap, but 
you do. I always forget that the clear text password mapping is not in 
ldap.attrmap by default, I assume that because of the inherent security 
risks. By forcing you to add it you'll be forcefully aware of what 
you've done. Here's the issue, you don't want unprivileged user's from 
reading someones password from the directory. It's vital you protect the 
clear text password with some type of access control in your ldap 
server. How you do that depends on the particular ldap server you're 
using. You might consider using precomputed hashes such as LT and NT. 
That would mitigate the exposure of a clear text password, but hashes 
should be protected as well by access control.


Now to make matters a touch bit more complicated FreeRADIUS changed how 
it accessed the clear text password in its set of attributes. In older 
versions of FreeRADIUS it was known as User-Password, but that produced 
an unfortunate ambiguity and it was later modified to be
Cleartext-Password, I'm sorry but I don't remember the version this was 
modified in.


For old versions of FreeRADIUS you'll need this in ldap.attrmap

checkItem   User-Password  userPassword

For modern versions of FreeRADIUS you'll need this in ldap.attrmap

checkItem   Cleartext-Password  userPassword

If you're still having problems then please follow-up with the full 
contents of your config file (not snippets) and the output of

radiusd -X.

--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ldap error for chap

2010-02-24 Thread Alan Buxey

Hi,

 Now to make matters a touch bit more complicated FreeRADIUS changed how 
 it accessed the clear text password in its set of attributes. In older 
 versions of FreeRADIUS it was known as User-Password, but that produced 
 an unfortunate ambiguity and it was later modified to be
 Cleartext-Password, I'm sorry but I don't remember the version this was 
 modified in.

version 1.1.4 brought this into play.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ldap error for chap

2010-02-23 Thread Eric Eric

Excuse me my reply was incomplete and sent with error. 
I changed Cleartext-Password in ldap.attrmap to User-Password
and now:
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
and checked with password_header = {clear} and without it. but error is the 
same as before.


--- On Tue, 2/23/10, Eric Eric eric121...@yahoo.com wrote:

From: Eric Eric eric121...@yahoo.com
Subject: rlm-ldap error for chap
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Date: Tuesday, February 23, 2010, 10:31 AM

I changed Cleartext-Password in ldap.attrmap to User-Password
and now:
rlm_ldap: LDAP userPassword mapped to RADIUS User-Password
and checked with password_header = {clear} and without it. b

--- On Tue, 2/23/10, Fajar A. Nugraha fa...@fajar.net wrote:

From: Fajar A. Nugraha fa...@fajar.net
Subject: Re: rlm-ldap error for chap
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Date: Tuesday, February 23, 2010, 6:47 AM

On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote:

 Hi
 I
 want to change authentication pap to chap. The users with clear passwords are 
in ldap server. but the is error with clear password in rlm-ldap

 rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password

is the cleartext password there?

 ldap ldap-Vpn{
    
     password_attribute = userPassword
     password_header = {clear}

     }

does the cleartext password have a header?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





  
-Inline Attachment Follows-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ldap error for chap

2010-02-23 Thread John Dennis


On 02/23/2010 01:32 AM, Eric Eric wrote:

Hi
I want to change authentication pap to chap. The users with clear
passwords are in ldap server. but the is error with clear password in
rlm-ldap


What version of FreeRADIUS are you running? Normally it's the first 
thing in the debug output, except for old versions.


What does an ldap search of the test user's dn return? (use the 
ldapsearch command line utility).


My guess is there isn't an attribute called userPassword.
--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ldap error for chap

2010-02-23 Thread John Dennis


On 02/23/2010 05:31 AM, Eric Eric wrote:

I changed Cleartext-Password in ldap.attrmap to User-Password


Don't do that, that's got nothing to do with finding the user's password 
in your directory.


It's the password_attribute in your ldap config which controls how to 
find the users password in your directory. But first you must find the 
user in your directory, which is controlled by the basedn and filter 
ldap config items. What are they set to and what does ldapsearch return 
when you pass ldapsearch the same basedn and filter?


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ldap error for chap

2010-02-22 Thread Fajar A. Nugraha

On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric eric121...@yahoo.com wrote:

 Hi
 I want to change authentication pap to chap. The users with clear passwords 
 are in ldap server. but the is error with clear password in rlm-ldap

 rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password

is the cleartext password there?

 ldap ldap-Vpn{
    
     password_attribute = userPassword
     password_header = {clear}

     }

does the cleartext password have a header?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm-ldap error for chap

Re: rlm-ldap error for chap

Re: rlm-ldap error for chap

Re: rlm-ldap error for chap

Re: rlm-ldap error for chap

Re: rlm-ldap error for chap

Re: rlm-ldap error for chap

7 matches

Site Navigation

Mail list logo

Footer information