Freeradius-Users Digest, Vol 23, Issue 13
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Tue Mar 6 11:48:55 CET 2007
> Dana 5/3/2007, "Tim Tyler" <tyler at beloit.edu> pi?e:
>
>> Freeradius experts,
>> I am trying to configure freeradius to use openldap as a backend
>> for authentication, but I can't seem to get the passwords to
>> authenticate. It seems to have no problem binding and finding the
>> username (uid). I am using crypt passwords in the ldap userPassword field:
>> userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ=
>>
>> I am not using any radius attributes. I simply want to allow any
>> uid to authenticate. I get these results:
>>
>> rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59
>> User-Name = "tylertj"
>> User-Password = "xxxxxx"
>> NAS-IP-Address = 255.255.255.255
>> NAS-Port = 1812
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for tylertj
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0
>> rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer
>> rlm_ldap: starting TLS
>> rlm_ldap: bind as / to ldap.beloit.edu:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: looking for check items in directory...
>> rlm_ldap: looking for reply items in directory...
>> rlm_ldap: user tylertj authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59
>> Sending Access-Reject of id 60 to 144.89.40.8:59881
>>
>>
>> What might I be doing wrong? I presume that the ldap server
>> doesn't have to store the passwords in plain text, correct? I can
>> store them in md5 or SHA1 hash if I want, correct? I did uncomment:
>>
>> authenticate {
>> Auth-Type LDAP {
>> ldap
>> }
>>
>> Am I wrong to think this is now a password issue?
>> Tim
>>
>>
>>
>>
>>
>> Tim Tyler
>> Network Engineer - Beloit College
>> tyler at beloit.edu
>>
You need to prefix your crypt password with {crypt}, else LDAP won't
know which hashing scheme your using, and when you attempt a v3 bind
it'll treat your crypted password as plaintext.
Also, in order to use crypted password you'll need a authentication
mechanism that supports reversible encryption, like PAP or GTC.
--
Arran Cudbard-Bell (ac221 at sussex.ac.uk)
Authentication Authorisation & Accounting Officer
Unversity of Sussex | Infrastructure Services
++441273873900/ext:3900
More information about the Freeradius-Users
mailing list