[Fwd: LDAP CHAP born again]

Wed Jul 2 03:58:03 CEST 2008

Hi Alan, thanks for your reply

Alan Dekok wrote :
>  If the LDAP server gives FreeRADIUS the clear-text password, then CHAP
> should work.

yes the LDAP server already gave clear text password, you can see in the debug below

>> rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
>> length=48
>>
>>       User-Name = "testing"
>>       CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
>> ------------cut--------------.
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
>> (uid=testing)
>> rlm_ldap: checking if remote access for testing is allowed by dialupAccess
>> rlm_ldap: Password header not found in password Testing1 for user testing
>
>  And does CHAP work for this user?

no... what I mean is the module ldap (rlm_ldap) could see the password for user testing.... that is Testing1 ( yes this is the password )
the LDAP should pass this clear text password ( Testing1 ) for module CHAP to authenticate

>> also there is clue
>> where parameter like
>> password_header = "{clear}"
>> password_attribute = userPassword
>> password_radius_attribute = "User-Password"
>> must be set.... but how?
>
>  in the "ldap" section of radiusd.conf, where the LDAP parameters are
>configured.

yes I've configure that string in radiusd.conf section ldap... 
for password_attribute, clearly it must contain userPassword ( attribute the LDAP server keeps the password )
but how about password_radius_attribute ? from the faq password_radius_attribute is radius attribute where the user password will be stored after being extracted from LDAP
is password_radius_attribute should contain string "User-Password" or "Clear-text Password" or maybe "CHAP-Password? what attribute does CHAP read for authentication?

>> i'm still trying to read the code ( like rlm_chap.c ) to see what
>> attribut does rlm_chap read for the password that was passed by the
>> module ldap. but it is so arcane and "debuging code twice hard as
>> writing the code at first place"
>
>  Don't read the code.  It won't help you.

yeah... it killing me ( the code ) :D

>> anyone has solution for this matter?
>
>  Try installing 2.0.5 in a separate directory and configuring it.  Odds
>are it will work.

in time I will try install it, but if i can't make this ( LDAP CHAP ) clear... definitely I will encounter the same problem again :)

Thank You
Ryan Setiawan H

-- 
DISCLAIMER:

The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.