Freeradius and LDAP : to be continued

Seferovic Edvin edvin.seferovic at kolp.at
Thu Dec 15 17:10:57 CET 2005


Hi,

rather confusing. I have to admit, I have never used chillispot, but I've
just visited their website and in FAQ I found "Why should I use
CHAP-Challenge and CHAP-Password?" so this makes me think that Chillispot
uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
authorisation, but as a password storage. Okay - great.. what now?

When you look at your radiusd.conf file there is a part where you can define
your LDAP server etc.. 

ldap ldap_users {

                server = "81.xxxxxxxxxx"
                # identity = "cn=admin,o=My Org,c=UA"
                # password = mypass
                basedn = "ou=People,dc=xxx,dc=xx"
                filter = "(&(objectClass=posixAccount)(uid=%u))"

                start_tls = no

                ......
                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 10
                # password_header = "{clear}"
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # access_attr_used_for_allow = yes
        }

I hope you have that right ( this is only a part of my working config ).
Next, what Alan said is to change the authorisation part. As I said -
chillispot aparently wants CHAP, so in following section use CHAP

authorize {

        #  The chap module will set 'Auth-Type := CHAP' if we are
        #  handling a CHAP request and Auth-Type has not already been set
        Chap

	  # here you can also have 
	  ldap_users
	  # for radtest to work ( IMHO it should be like this )	
}

And in 

authenticate {
        
        #  Most people want CHAP authentication
        #  A back-end database listed in the 'authorize' section
        #  MUST supply a CLEAR TEXT password.  Encrypted passwords
        #  won't work.
        Auth-Type CHAP {
               	chap
			ldap_users
       }
}

As it says in authenticate section - passwords in LDAP should be in clear
text... 

Try this out. I cannot promise you that it will work, but it is the same way
I have set up my POPTOP server with MS-CHAP, and it works.. I would also
appreciate some guru to take a look at this and publish his opinion about
this on this list ;)

Kind regards,

Edvin

-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:41
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued

Hello Edvin,

First, I received my email posted to the list several times in my mail 
client.
I higly hope this is not the case for all you ! (if it is, thunderbird 
didn't like to switch from the testing wireless network back to cable 
and vice versa, since they're all dated to the same hour....)
If you received only one mail, it is OK, just forget what I told ;-)

For what I am trying to do:
I have an existing LDAP directory with all users being able to connect 
to the wireless area.

The hotspot architecture is :

client <-> chillispot (login page served with apache2 + ssl) <-> 
freeradius <-> ldap.

I just want my ldap users being able to connect to the hotspot.

So, *at first*, I edited the conf file to let users be authenticate via 
LDAP.

This way, radtest way just OK but not ChilliSpot. When I report it to 
the list, asking how radtest is different to chillispot login, Alan 
explained me:
" You're using LDAP as an authentication server. Don't do that. Use LDAP 
to store passwords.
 i.e. remove the "ldap" entry from the "authenticate" section. Get 
radtest to work. Once that works, Chillispot will work, too."

So I remove "ldap" from authentificate (I let it in authorize section 
thgouh).

But it still doesn't solve the problem.

In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set 
Auth-Type to LDAP. That would solve a lot of problems."

I just find it dirty to hack the radius then recompile to get ldap 
support :-(

If you're using LDAP for your users accessing the hotspot, would you 
please tell me how you achieve this ?

Best Regards,

Seferovic Edvin wrote:

>Hello,
>
>I must admit, I have been reading this thread, but I still do not
understand
>what Christophe is trying to accomplish. As far as I understand - you have
>your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
>authenticate users that are in your LDAP directory.. 
>
>Please correct me...
>
>Regards,
>
>Edvin
>
>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
>Christophe Gravier
>Sent: Donnerstag, 15. Dezember 2005 16:05
>To: FreeRadius users mailing list
>Subject: Re: Freeradius and LDAP : to be continued
>
>Phil Mayers wrote:
>
>  
>
>>Alan DeKok wrote:
>>
>>    
>>
>>><christophe.gravier at univ-st-etienne.fr> wrote:
>>>
>>>      
>>>
>>>>rlm_ldap: Adding userPassword as User-Password, value { & op=11
>>>>        
>>>>
>>>  That's better.
>>>
>>>      
>>>
>>>>modcall: group authorize returns ok for request 0
>>>>  rad_check_password:  Found Auth-Type LDAP
>>>>        
>>>>
>>>  Yuck.
>>>
>>>  My quick answer is to edit rlm_ldap.c to have it *never* set
>>>Auth-Type to LDAP.  That would solve a lot of problems.
>>>      
>>>
>>Interesting. I mentioned this to another querier the other day:
>>
>>
>>    
>>
>http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221
.
>html 
>  
>
>
>
>Argggg. You lost me.
>
>Still not working.
>I can't imagine I'm unable to make freeradius uses LDAP password without 
>hacking it :-/
>
>  
>
>>What then would the authenticate section look like to use LDAP? 
>>Presumably something like:
>>
>>authenticate {
>>  Auth-Type PAP {
>>    ldap
>>  }
>>}
>>
>>...but of course then you get into what happens if you want 2 
>>different services in the same server, such as:
>>
>>authenticate {
>>  Auth-Type PAP-service1 {
>>    ldap1
>>  }
>>  Auth-Type PAP-service2 {
>>    ldap2
>>  }
>>  Auth-Type MSCHAP-service1 {
>>    mschap1
>>  }
>>  Auth-Type MSCHAP-service2 {
>>    mschap2
>>  }
>>}
>>
>>...etc. - nasty. Is it possible to do:
>>
>>authenticate {
>>  Huntgroup Service1 {
>>    Auth-Type PAP {
>>      ldap1
>>    }
>>    Auth-Type MSCHAP {
>>      mschap1
>>    }
>>  }
>>
>>  Huntgroup Service2 {
>>    Auth-Type PAP {
>>      ldap2
>>    }
>>    Auth-Type MSCHAP {
>>      mschap2
>>    }
>>  }
>>}
>>
>>...although "Realm" might make more sense than "Huntgroup" in 
>>understanding what I mean.
>>
>>There's also the possibility of wanting to use fallback:
>>
>>authenticate {
>>  Auth-Type PAP {
>>    ldap
>>    pap
>>  }
>>}
>>
>>...although I'm pretty sure you can do that with configurable failover 
>>and the above syntax is wrong.
>>- List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
>>
>>    
>>
>
>
>  
>


-- 
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list