Freeradius and LDAP : to be continued

Phil Mayers p.mayers at imperial.ac.uk
Thu Dec 15 19:10:02 CET 2005 

Christophe Gravier wrote:
>>
> My password are not stored in LDAP in clear text but hashed using SHA 
> algorythm, so this won't work ;-(


Ok, let's take a breath. First things first:

If your passwords are in SHA (which they are) your Radius server will 
ONLY be able to answer PAP requests.

The very first log you sent in this thread indicates you have ChilliSpot 
set to use CHAP:


rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication. 
Cannot use "CHAP-Password".
  modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.

'''"Cannot use "CHAP-Password"''' - indicates the request (from 
ChilliSpot) came in with CHAP credentials.

First, fix that. See here:

http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html



Next, since you have SHA passwords and can only answer PAP, you have two 
choices:

  1. Extract the SHA password and add it to the config items, then 
configure the Radius servers PAP module to check it:

modules {
   pap {
     encryption_scheme = sha1
   }
   ldap {
     # settings go here
   }
}

authorize {
   preprocess
   ldap
}
authenticate {
   Auth-Type PAP {
     pap
   }
}

HOWEVER - this may not work. The "SHA" that your LDAP server uses may be 
slightly different (salting, keying) than the SHA FreeRadius uses.

Much more likely to trip you up though, is when "ldap" matches in 
authorize, it will set Auth-Type = LDAP, so you either need to disable 
that or otherwise "make it work" and there are about 6 different ways of 
doing that. The most obvious would be to replace the above with:

modules { as before }
authorize { as before }
authenticate {
   Auth-Type LDAP {
     pap
   }
}

But it might not work. Alternatively and probably simpler (but less 
formally correct) is the 2nd method:

  2. Configure the LDAP module to find the user, set Auth-Type==LDAP 
then authenticate the user via simple bind:

authorize {
   preprocess
   ldap
}
authenticate {
   Auth-Type LDAP {
     ldap
   }
}

...and assuming the "ldap" modules is setup correctly, what will happen is:

A. authorize called
  1. preprocess called
  2. suffix realm called - no-op probably
  3. files called - no-op probably but DO NOT SET Auth-Type
  4. ldap called - search succeeds, and "Ldap-UserDN" is set, and 
"Auth-Type" set to "LDAP"

B. authenticate called
  1. Auth-Type == LDAP, so "ldap" called and simple bind performed

And it WILL WORK.

More information about the Freeradius-Users mailing list