Freeradius and LDAP : to be continued
Christophe Gravier
christophe.gravier at univ-st-etienne.fr
Fri Dec 16 10:42:10 CET 2005
Phil Mayers wrote:
> Christophe Gravier wrote:
>
>>>
>> My password are not stored in LDAP in clear text but hashed using SHA
>> algorythm, so this won't work ;-(
>
>
>
> Ok, let's take a breath. First things first:
>
> If your passwords are in SHA (which they are) your Radius server will
> ONLY be able to answer PAP requests.
>
> The very first log you sent in this thread indicates you have
> ChilliSpot set to use CHAP:
>
>
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> Cannot use "CHAP-Password".
> modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: group Auth-Type returns invalid for request 0
> auth: Failed to validate the user.
>
> '''"Cannot use "CHAP-Password"''' - indicates the request (from
> ChilliSpot) came in with CHAP credentials.
>
> First, fix that. See here:
>
> http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
>
>
>
> Next, since you have SHA passwords and can only answer PAP, you have
> two choices:
>
> 1. Extract the SHA password and add it to the config items, then
> configure the Radius servers PAP module to check it:
>
> modules {
> pap {
> encryption_scheme = sha1
> }
> ldap {
> # settings go here
> }
> }
>
> authorize {
> preprocess
> ldap
> }
> authenticate {
> Auth-Type PAP {
> pap
> }
> }
>
> HOWEVER - this may not work. The "SHA" that your LDAP server uses may
> be slightly different (salting, keying) than the SHA FreeRadius uses.
>
> Much more likely to trip you up though, is when "ldap" matches in
> authorize, it will set Auth-Type = LDAP, so you either need to disable
> that or otherwise "make it work" and there are about 6 different ways
> of doing that. The most obvious would be to replace the above with:
>
> modules { as before }
> authorize { as before }
> authenticate {
> Auth-Type LDAP {
> pap
> }
> }
>
I want to make "set Auth-Type = LDAP" working by making this Auth-Type
use the pap configuration. (correct me If I'm wrong).
I followed what you advises:
- configure chilli uamsecret and uampassword)
- put pap configuration in module section
- check ldap configration in module
- put ldap in authorize
- put Auth-Type LDAP { pap } in authentificate.
Now things got through pap indeed, but I'm told:
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
I think I totally misunderstand your sentence: "Extract the SHA password
and add it to the config items". I thought it means to add the mapping
"checkItem User-Password userPassword" in ldap.attrmap (where
userPassword is my attribute for SHA password). As it didn't work I used
the "password_attribute" conf entry in ldap configuration (module
section), but as I expected it has the same consequence.
Could you please, be more precise about the extraction of SHA password ?
Is there an additional conf entry for pap in module section ?
Here is the complete trace:
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter
(uid=gravier.christophe)
rlm_ldap: checking if remote access for gravier.christophe is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "gravier.christophe", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by "gravier.christophe" with password < here the
trace prints my password in plain text, normal ? >
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
modcall[authenticate]: module "pap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
> But it might not work. Alternatively and probably simpler (but less
> formally correct) is the 2nd method:
>
> 2. Configure the LDAP module to find the user, set Auth-Type==LDAP
> then authenticate the user via simple bind:
>
> authorize {
> preprocess
> ldap
> }
> authenticate {
> Auth-Type LDAP {
> ldap
> }
> }
>
> ...and assuming the "ldap" modules is setup correctly, what will
> happen is:
>
> A. authorize called
> 1. preprocess called
> 2. suffix realm called - no-op probably
> 3. files called - no-op probably but DO NOT SET Auth-Type
> 4. ldap called - search succeeds, and "Ldap-UserDN" is set, and
> "Auth-Type" set to "LDAP"
>
> B. authenticate called
> 1. Auth-Type == LDAP, so "ldap" called and simple bind performed
>
> And it WILL WORK.
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
More information about the Freeradius-Users
mailing list