Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]

David W Bell david at chaoscrypt.com
Wed Feb 13 15:35:32 CET 2008


David W Bell wrote:
> Ranner, Frank MR wrote:
>> UNCLASSIFIED
>>
>>  
>>> Config as requested - I did uncomment and configure the identity 
>>> section
>>> - is this not required?
>>>
>>>         ldap {
>>>                 #
>>>                 #  Note that this needs to match the name in the LDAP
>>>                 #  server certificate, if you're using ldaps.
>>>                 server = "localhost"
>>>                 identity = "cn=Administrator,dc=dxi,dc=net"
>>>                 password = trPic4n03
>>>                 basedn = "dc=dxi,dc=net"
>>>                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>>>                 #base_filter = "(objectclass=radiusprofile)"
>>>
>>>                 #  How many connections to keep open to the LDAP 
>>> server.
>>>                 #  This saves time over opening a new LDAP socket for
>>>                 #  every authentication request.
>>>                 ldap_connections_number = 5
>>>
>>>                 # seconds to wait for LDAP query to finish. default: 20
>>>                 timeout = 4
>>>
>>>                 #  seconds LDAP server has to process the query 
>>> (server-side
>>>                 #  time limit). default: 20
>>>                 #
>>>                 #  LDAP_OPT_TIMELIMIT is set to this value.
>>>                 timelimit = 3
>>>
>>>                 #
>>>                 #  seconds to wait for response of the server. (network
>>>                 #   failures) default: 10
>>>                 #
>>>                 #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>>>                 net_timeout = 1
>>>                 tls {
>>>                         # Set this to 'yes' to use TLS encrypted 
>>> connections
>>>                         # to the LDAP database by using the StartTLS 
>>> extended
>>>                         # operation.
>>>                         #
>>>                         # The StartTLS operation is supposed to be
>>>                         # used with normal ldap connections instead of
>>>                         # using ldaps (port 689) connections
>>>                         start_tls = no
>>>
>>>                         # cacertfile    = /path/to/cacert.pem
>>>                         # cacertdir             = /path/to/ca/dir/
>>>                         # certfile              = /path/to/radius.crt
>>>                         # keyfile               = /path/to/radius.key
>>>                         # randfile              = /path/to/rnd
>>>
>>>                         #  Certificate Verification requirements.  Can
>>>     
>>
>>  
>>> be:
>>>                         #    "never" (don't even bother trying)
>>>                         #    "allow" (try, but don't fail if the 
>>> cerificate
>>>                         #               can't be verified)
>>>                         #    "demand" (fail if the certificate doesn't
>>> verify.)
>>>                         #
>>>                         #       The default is "allow"
>>>                         # require_cert  = "demand"
>>>                 }
>>>
>>>                 # default_profile =
>>> "cn=radprofile,ou=dialup,o=My Org,c=UA"
>>>                 # profile_attribute = "radiusProfileDn"
>>>                 # access_attr = "dialupAccess"
>>>
>>>                 # Mapping of RADIUS dictionary attributes to LDAP
>>>                 # directory attributes.
>>>                 dictionary_mapping = ${confdir}/ldap.attrmap
>>>
>>>                 #  Set password_attribute = nspmPassword to get the
>>>                 #  user's password from a Novell eDirectory
>>>                 #  backend. This will work ONLY IF FreeRADIUS has been
>>>                 #  built with the --with-edir configure option.
>>>                 #
>>>                 # password_attribute = userPassword
>>>     
> Thanks for the tip - tried it and it didnt work
>
> Worth a try tho - so thanks
>
> David
>
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for belld
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
> details
>        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>        expand: dc=dxi,dc=net -> dc=dxi,dc=net
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to 
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
> rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user belld authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
>  rad_check_password:  Found Auth-Type
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
>
> !!!    Replacing User-Password in config items with 
> Cleartext-Password.     !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
>
> !!! Please update your configuration so that the "known 
> good"               !!!
> !!! clear text password is in Cleartext-Password, and not in 
> User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
>
> auth: type "PAP"
> +- entering group PAP
> rlm_pap: login attempt with password "p455w0rd"
> rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo"
> rlm_pap: Passwords don't match
> ++[pap] returns reject
> auth: Failed to validate the user.
> Login incorrect (rlm_pap: CLEAR TEXT password check failed): 
> [belld/p455w0rd] (from client 212.95.252.25 port 0)
>  Found Post-Auth-Type Reject
> +- entering group REJECT
>        expand: %{User-Name} -> belld
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 17 to 212.95.252.25 port 32116
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 17 with timestamp +3
> Ready to process requests.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
Looking at this it seems that the LDAP record is holding the password 
with a certain encryption and that Radius needs to be told to encrypt 
the password it has passed to it in that format.

Anyone know what the LDAP encryption would be, and how to influence 
RADIUS's treatment of the password.

David




More information about the Freeradius-Users mailing list