RE: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
UNCLASSIFIED
-Original Message-
Looking at this it seems that the LDAP record is holding
the password
with a certain encryption and that Radius needs to be told
to encrypt
the password it has passed to it in that format.
Anyone know what the LDAP encryption would be, and how to influence
RADIUS's treatment of the password.
David
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Now fixed.
All I had to do in the end was add the line for userPassword and
then change this from no to yes
pap {
auto_header = yes
}
in my radiusd.conf file which allows radius to work out how to encrypt
the password - in this case I *THINK* against a /etc/shadow format
hash
From man slappasswd
-h scheme
If -h is specified, one of the following RFC 2307
schemes may be specified: {CRYPT}, {MD5}, {SMD5},
{SSHA}, and {SHA}. The default is {SSHA}.
Note that scheme names may need to be protected, due to
{ and }, from expansion by the user's command inter-
preter.
{SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1),
the latter with a seed.
{MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the
latter with a seed.
{CRYPT} uses the crypt(3).
{CLEARTEXT} indicates that the new password should be
added to userPassword as clear text.
Regards
Frank Ranner
Classification=UNCLASSIFIED
Precedence=ROUTINE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = localhost
identity = cn=Administrator,dc=dxi,dc=net
password = trPic4n03
basedn = dc=dxi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#never (don't even bother trying)
#allow (try, but don't fail if
the cerificate
# can't be verified)
#demand (fail if the
certificate doesn't
verify.)
#
# The default is allow
# require_cert = demand
}
# default_profile =
cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = localhost
identity = cn=Administrator,dc=dxi,dc=net
password = trPic4n03
basedn = dc=dxi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#never (don't even bother trying)
#allow (try, but don't fail if the
cerificate
# can't be verified)
#demand (fail if the certificate doesn't
verify.)
#
# The default is allow
# require_cert = demand
}
# default_profile =
cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
Re: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell wrote:
David W Bell wrote:
Ranner, Frank MR wrote:
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = localhost
identity = cn=Administrator,dc=dxi,dc=net
password = trPic4n03
basedn = dc=dxi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the
StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#never (don't even bother trying)
#allow (try, but don't fail if the
cerificate
# can't be verified)
#demand (fail if the certificate doesn't
verify.)
#
# The default is allow
# require_cert = demand
}
# default_profile =
cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion :-. See man unlang for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) - (uid=belld)
expand: dc=dxi,dc=net - dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!
!!!Replacing User-Password in config items with
Cleartext-Password. !!!
!!!
!!! Please update your configuration so that the known
good !!!
!!! clear text password is in Cleartext-Password, and not in
RE: Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
UNCLASSIFIED
Config as requested - I did uncomment and configure the identity
section
- is this not required?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = localhost
identity = cn=Administrator,dc=dxi,dc=net
password = trPic4n03
basedn = dc=dxi,dc=net
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
# How many connections to keep open to the LDAP
server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish.
default: 20
timeout = 4
# seconds LDAP server has to process the query
(server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server.
(network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
tls {
# Set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can
be:
#never (don't even bother trying)
#allow (try, but don't fail if
the cerificate
# can't be verified)
#demand (fail if the
certificate doesn't
verify.)
#
# The default is allow
# require_cert = demand
}
# default_profile =
cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
# access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# password_attribute = userPassword
I think you need to un-comment this line --^
Regards,
Frank Ranner
Classification=UNCLASSIFIED
Precedence=ROUTINE
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
