yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sun Mar 30 00:28:23 CET 2008


Alan DeKok wrote:
> Sylvain Robitaille wrote:
> ...
>>> ldap {
>>>     auto_header = yes
> ...
>> I will definitely give that a try on Monday morning.  I wasn't aware
>> that the ldap module also had an auto_header parameter.  I have it set
>> for the pap module already, but will try with the ldap module and report
>> back.
> 
>   I would very much prefer that the PAP module be used for the password
> mangling, rather than rlm_ldap.  The code in the PAP module does more,
> and is more used than the similar code in rlm_ldap.  I think that
> functionality will be removed from rlm_ldap.

Yes, it is duplicate functionality. Lots of our configuration files are 
still based on CVS versions from when FR 2 was being developed, I should 
really merge them with the standard 2.0.3 configs at some point.

I just couldn't understand why the PAP module wasn't processing the 
header on the User-Password, and I know the autoheader option works for 
us with rlm_ldap. It's actually very useful because it'll allow the 
migration from crypt *sigh* to ssha1 at some point in the future, but if 
rlm_pap does the same thing then i'll switch to that.

> 
>>>  have no idea what password_radius_attribute is ?? Is that a legacy
>>> configuration item ?
> 
>   Yes.
> 
>> I don't think so.  I only learned about it this week, though that isn't
>> to suggest that it wasn't around previously.  I learned about this from
>> reading doc/rlm_ldap that ships with freeradius-server-2.0.3.  That file
>> says the following about this parameter:
> 
>   I've deleted that text from the documentation.  The configuration item
> hasn't been in rlm_ldap for a long time.
> 
> 
>   You need to tell FreeRADIUS *how* you have encrypted the passwords.
> If there's a {ssha} header on the password, then the PAP module should
> figure it out.


But it doesn't appear to be... you have got the autoheader option set in 
the PAP module?

         pap {
                 auto_header = yes
         }

Doesn't matter where it's set for testing, it just needs to be set 
*somewhere*.

*nothing* will work until you get the hash into the correct attribute 
with the header stripped off.

Fudging it by creating a static mapping userPassword -> SSHA-Password in 
ldap.attrmap won't work because the header will still be present in the 
hash...

If you really stumped something like:

authorize {
	ldap
	if(ok && ("%{control:User-Password}" ~= /^{ssha}(.*)/i)){
		update control{
			SSHA-Password := "%{1}"
		}
	}
}

Will do the work of the LDAP / PAP module. But it's a bodge, really 
rlm_pap should be doing that.

>> It might still be interesting just to _know_ what's slowing the RADIUS
>> server down, though.
> 
>   30 second delays are almost always DNS.
> 
>>> There isn't really a whole lot that can go wrong with the server.  If
>>> it's waiting more than 30 seconds to respond, then the likelihood is
>>> that it's doing DNS lookups, and DNS is broken.
>> Hrmmm...  I have "hostname_lookups = no" on both my existing (1.1.6)
>> installation and the new one I'm working on (2.0.3), but of course
>> *some* DNS lookups would still be expected (I have multiple LDAP servers
>> configured, by hostname, for example),
> 
>   Yes.  That configuration item controls IP address -> hostname lookups
> for printing.  It has *no* effect on hostname -> IP mapping, such as
> looking up ldap servers by hostname.

We have the LDAP servers in a DNS round robin. Does FR resolve the 
hostname each time a new connection is established, or will it resolve 
it once during startup when the configuration entry is parsed?

Thanks,
Arran





More information about the Freeradius-Users mailing list