Freeradius and LDAP : to be continued

christophe.gravier at univ-st-etienne.fr christophe.gravier at univ-st-etienne.fr
Thu Dec 15 19:51:07 CET 2005


> Christophe Gravier wrote:
>>>
>> My password are not stored in LDAP in clear text but hashed using SHA
>> algorythm, so this won't work ;-(
>
>
> Ok, let's take a breath.

Yes, I agree, that's why I quit for today ;-)

> First things first:
>
> If your passwords are in SHA (which they are) your Radius server will
> ONLY be able to answer PAP requests.

Haaaa that's explain why I'll never make it with CHAP.
I thought it would be able to get the plain text password, then use SHA to
match it against ldap... But it seems PAP is required to do that
(regarding your method 1.)
>
> The very first log you sent in this thread indicates you have
> ChilliSpot  set to use CHAP:
>
>
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> Cannot use "CHAP-Password".
>  modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: group Auth-Type returns invalid for request 0
> auth: Failed to validate the user.
>
> '''"Cannot use "CHAP-Password"''' - indicates the request (from
> ChilliSpot) came in with CHAP credentials.
>
> First, fix that. See here:
>
> http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
>

First thing I'll do back to work.

>
>
> Next, since you have SHA passwords and can only answer PAP, you have
> two  choices:
>
>  1. Extract the SHA password and add it to the config items, then
> configure the Radius servers PAP module to check it:
>
> modules {
>   pap {
>     encryption_scheme = sha1
>   }
>   ldap {
>     # settings go here
>   }
> }
>
> authorize {
>   preprocess
>   ldap
> }
> authenticate {
>   Auth-Type PAP {
>     pap
>   }
> }
>
> HOWEVER - this may not work. The "SHA" that your LDAP server uses may
> be  slightly different (salting, keying) than the SHA FreeRadius uses.
>
> Much more likely to trip you up though, is when "ldap" matches in
> authorize, it will set Auth-Type = LDAP, so you either need to disable
> that or otherwise "make it work" and there are about 6 different ways
> of  doing that. The most obvious would be to replace the above with:
>
> modules { as before }
> authorize { as before }
> authenticate {
>   Auth-Type LDAP {
>     pap
>   }
> }
>
> But it might not work. Alternatively and probably simpler (but less
> formally correct) is the 2nd method:
>
>  2. Configure the LDAP module to find the user, set Auth-Type==LDAP
> then authenticate the user via simple bind:
>
> authorize {
>   preprocess
>   ldap
> }
> authenticate {
>   Auth-Type LDAP {
>     ldap
>   }
> }
>
> ...and assuming the "ldap" modules is setup correctly, what will happen
> is:
>
> A. authorize called
>  1. preprocess called
>  2. suffix realm called - no-op probably
>  3. files called - no-op probably but DO NOT SET Auth-Type
>  4. ldap called - search succeeds, and "Ldap-UserDN" is set, and
> "Auth-Type" set to "LDAP"
>
> B. authenticate called
>  1. Auth-Type == LDAP, so "ldap" called and simple bind performed
>
> And it WILL WORK.

Thank you a lot, things getting a little more clearer now.
I will try these settings tomorrow morning, from method 1 and then method 2.

I am really thankfull to the quality of your answer and the time you spent
to write it down.
Cheers,

Christophe.

> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list