How to use different ldap-modules?
Florian Prester
Florian.Prester at rrze.uni-erlangen.de
Thu Jun 23 08:33:16 CEST 2005
Alan DeKok wrote:
>Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
>
>
>>1.) PAP is just the clear-text password???
>>
>>
>
> Yes.
>
>
>
>>-> I thought pap is hashing the password with a challenge (MD-5).
>>
>>
>
> Stop worrying about it. PAP is the clear-text password.
>
>
>
Got it now, thanks!
>>So I want to the server to hold a crypted Password (MD-5) for PAP, but
>>retrieving that from the ldap server.
>>
>>
>
> If the LDAP server has a clear-text password for MS-CHAP, you might
>as well use it for PAP. Trying to make PAP use a crypt'd password is
>a waste of time, and doesn't gain anything.
>
>
>
OK, now I found the mistake:
1.) my head
2.) pap-section: was set to crypt!!!
>>2.) I do not want to do any binding to the ldap for authentication!
>>
>>
>
> So... don't list "ldap" in the "authenticate" section.
>
>
>
Sorry, but I do not list ldap in the "authenticate" section!
radiusd.conf:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
# digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
}
LOG:
rad_recv: Access-Request packet from host 131.188.78.116:1967, id=58,
length=47
User-Name = "unrz148"
User-Password = "unrz148"
Thu Jun 23 08:25:36 2005 : Debug: Processing the authorize section of
radiusd.conf
Thu Jun 23 08:25:36 2005 : Debug: modcall: entering group authorize for
request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "chap"
returns noop for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "mschap"
returns noop for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: - authorize
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: performing user
authorization for unrz148
Thu Jun 23 08:25:36 2005 : Debug: radius_xlat: '(Userid=unrz148)'
Thu Jun 23 08:25:36 2005 : Debug: radius_xlat:
'ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE'
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: performing search in
ou=AAAuser,o=Universitaet Erlangen-Nuernberg,c=DE, with filter
(Userid=unrz148)
request 12 done
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: checking if remote access
for unrz148 is allowed by uid
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: looking for check items in
directory...
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding fauUserid as
Password, value unrz148 & op=21
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding ntPassword as
NT-Password, value 925B509D0BD4D37992897EEEC91072C1 & op=21
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: Adding lmPassword as
LM-Password, value AC8398A336F64627FDCFC2AFB2D1BE34 & op=21
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: looking for reply items in
directory...
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: user unrz148 authorized to
use remote access
Thu Jun 23 08:25:36 2005 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from
ldap (rlm_ldap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "ldap"
returns ok for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: rlm_eap: No EAP-Message, not doing EAP
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "eap"
returns noop for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 10
Thu Jun 23 08:25:36 2005 : Debug: rlm_realm: No '@' in User-Name =
"unrz148", looking up realm NULL
Thu Jun 23 08:25:36 2005 : Debug: rlm_realm: No such realm "NULL"
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "suffix"
returns noop for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall[authorize]: module "files"
returns notfound for request 10
Thu Jun 23 08:25:36 2005 : Debug: modcall: group authorize returns ok
for request 10
Thu Jun 23 08:25:36 2005 : Debug: rad_check_password: Found Auth-Type
LDAP <<<< Where does this come from? # I use the NTRadPing Test
Utility
Thu Jun 23 08:25:36 2005 : Debug: auth: type "LDAP"
Thu Jun 23 08:25:36 2005 : Debug: ERROR: Unknown value specified for
Auth-Type. Cannot perform requested action.
Thu Jun 23 08:25:36 2005 : Debug: auth: Failed to validate the user.
Thu Jun 23 08:25:36 2005 : Auth: Login incorrect: [unrz148/unrz148]
(from client Windows port 0)
Thu Jun 23 08:25:36 2005 : Debug: Delaying request 10 for 1 seconds
Thu Jun 23 08:25:36 2005 : Debug: Finished request 10
Thu Jun 23 08:25:36 2005 : Debug: Going to the next request
Thu Jun 23 08:25:36 2005 : Debug: --- Walking the entire request list ---
Thu Jun 23 08:25:36 2005 : Debug: Waking up in 1 seconds...
Thu Jun 23 08:25:37 2005 : Debug: --- Walking the entire request list ---
Thu Jun 23 08:25:37 2005 : Debug: Waking up in 1 seconds...
Thu Jun 23 08:25:38 2005 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 58 to 131.188.78.116:1967
Thu Jun 23 08:25:38 2005 : Debug: Waking up in 1 seconds...
Thu Jun 23 08:25:39 2005 : Debug: --- Walking the entire request list ---
Thu Jun 23 08:25:39 2005 : Debug: Cleaning up request 9 ID 57 with
timestamp 42ba55dd
>>3.) For authentication I want to provide PAP, CHAP, and PEAP+TLS using
>>MsCHAPv2.
>>
>> How can I do that? If use the radiusd.conf as it comes the radius
>>wants to use ldap for authentication.
>>
>>
>
> No, it doesn't. The default radiusd.conf doesn't use ldap at *all*.
>
>
>
>> authenticate {
>>...
>> ldap {
>> pap
>> }
>>
>>
>
> WTF? Don't do that!
>
> Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
--
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany
Tel.: +499131 8527813
More information about the Freeradius-Users
mailing list