Radius integration with LDAP (SASL)

vijay t vijayt at cdac.in
Tue Jan 17 14:39:52 CET 2012 

Hello,
 
Thanks for the quick response....
 
Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821
) server itself i am able to authenticate the user( Please see the debug output
"1") . Am facing problem only for those users whom am using SASL mechanism for
userPassword (Please see the debug output "2" )  
 
Debug output "1"
 
rad_recv: Access-Request packet from host 10.168.109.120 port 57709, id=24,
length=58
        User-Name = "101821"
        User-Password = "q"
        NAS-IP-Address = 10.1.109.120
        NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "101821", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[smbpasswd] returns notfound
[ldap] performing user authorization for 101821
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> 101821
[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=101821)
[ldap]  expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=101821)
request done: ld 0x126be520 msgid 4
[ldap] Added User-Password = q in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user 101821 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "q"
[pap] Using clear text password "q"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 24 to 10.168.109.120 port 57709
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 24 with timestamp +854
Ready to process requests.


Debug output "2"


rad_recv: Access-Request packet from host 10.168.109.120 port 54218, id=100,
length=58
        User-Name = "105900"
        User-Password = "sbt"
        NAS-IP-Address = 10.1.109.120
        NAS-Port = 0
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "105900", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[smbpasswd] returns notfound
[ldap] performing user authorization for 105900
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> 105900
[ldap]  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=105900)
[ldap]  expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=105900)
request done: ld 0x126be520 msgid 3
[ldap] Added User-Password = {SASL}suresht in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user 105900 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "sbt"
[pap] Using clear text password "{SASL}suresht"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> 105900
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 100 to 10.168.109.120 port 54218
Waking up in 4.9 seconds.
Cleaning up request 1 ID 100 with timestamp +106
Ready to process requests.


Regards

Vijay

 
 
 
 
 
 
 

On January 17, 2012 at 5:35 PM Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 17/01/12 11:55, vijay t wrote:
> > My LDAP server uses SASL mechanism for authenticating uid/username
> > against userPassword. How can I integrate this LDAp server with
> > FreeRadius server and what all configuration need to be changed ???. On
> > debug, my radius server shows following error. Kindly suggest
>
> Read this:
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> And this:
>
> http://deployingradius.com/documents/protocols/oracles.html
>
> Short version: if you need to use "LDAP BIND", you can only support PAP
> authentication.
>
> > [ldap] expand: %{User-Name} -> google
> > [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google)
> > [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in
> > [ldap] ldap_get_conn: Checking Id: 0
> > [ldap] ldap_get_conn: Got Id: 0
> > [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google)
> > request done: ld 0x748c7d0 msgid 9
> > [ldap] object not found
> > [ldap] search failed
>
> Your first problem is that the LDAP Search has failed. Fix your LDAP
> search filter, or ensure the user exists.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120117/b6d4f211/attachment.html>

More information about the Freeradius-Users mailing list