FR 3.0 with eDir

Michael Schwartzkopff ms at sys4.de
Wed Dec 18 10:01:36 CET 2013 

Am Mittwoch, 18. Dezember 2013, 09:56:04 schrieb Hubert Kupper:
> Am 17.12.2013 17:06, schrieb Arran Cudbard-Bell:
> > On 17 Dec 2013, at 14:38, Olivier Beytrison <olivier at heliosnet.org> wrote:
> >> On 17.12.2013 13:38, Hubert Kupper wrote:
> >>> Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell:
> >>> rlm_ldap (ldap): Reserved connection (0)
> >>> (1) ldap :      expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
> >>> '(cn=foo)'
> >>> (1) ldap :      expand: "o=org" -> 'o=org'
> >>> (1) ldap : Performing search in 'o=org' with filter '(cn=foo)'
> >>> (1) ldap : Waiting for search result...
> >>> (1) ldap : User object found at DN "cn=foo,ou=test,o=org"
> >>> (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other
> >>> (e.g., implementation specific) error
> >>> rlm_ldap (ldap): Released connection (0)
> >>> rlm_ldap (ldap): Opening additional connection (1)
> >>> rlm_ldap (ldap): Connecting to 192.168.1.35:389
> >> 
> >> 389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS
> >> Password retrieval over a non secure channel
> >> 
> >> Try using a ldaps connection !
> > 
> > Or enable start TLS.
> > 
> > Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> > FreeRADIUS Development Team
> 
> Bingo. You are right. When I use ldaps the ldap bind was successful now.
> With FR 2.x on OpenSuse 12.3 ldap and ldaps work both.
> By the way now I get the following error:
> 
> server inner-tunnel {
> (9) # Executing section authorize from file
> /etc/raddb/sites-enabled/inner-tunnel
> (9)   authorize {
> (9)   [chap] = noop
> (9)   [mschap] = noop
> (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL
> (9) suffix : Found realm "NULL"
> (9) suffix : Adding Stripped-User-Name = "dumm"
> (9) suffix : Adding Realm = "NULL"
> (9) suffix : Authentication realm is LOCAL
> (9)   [suffix] = ok
> (9)   update control {
> (9)             Proxy-To-Realm := 'LOCAL'
> (9)   } # update control = noop
> (9) eap : EAP packet type response id 11 length 63
> (9) eap : No EAP Start, assuming it's an on-going EAP conversation
> (9)   [eap] = updated
> (9)   [files] = noop
> rlm_ldap (ldap): Reserved connection (2)
> (9) ldap :      expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
> '(cn=dumm)'
> (9) ldap :      expand: "o=org" -> 'o=org'
> (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)'
> (9) ldap : Waiting for search result...
> (9) ldap : User object found at DN "cn=Dumm,ou=test1,ou=test,o=org"
> (9) ldap : Added eDirectory password in check items as
> Cleartext-Password = pwddummy
> (9) ldap : Binding as user for eDirectory authorization checks
> (9) ldap : Waiting for bind result...
> (9) ldap : Bind successful
> (9) ldap : Bind as user "cn=Dumm,ou=test1,ou=test,o=org" was successful
> rlm_ldap (ldap): Released connection (2)
> (9)   [ldap] = ok
> (9)   [expiration] = noop
> (9)   [logintime] = noop
> (9) WARNING: pap : Auth-Type already set.  Not setting to PAP
> (9)   [pap] = noop
> (9)  } #  authorize = updated
> (9) Found Auth-Type = EAP
> (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (9)   authenticate {
> (9) eap : Expiring EAP session with state 0xa4e4c03ea4efda08
> (9) eap : Finished EAP session with state 0xa4e4c03ea4efda08
> (9) eap : Previous EAP request found for state 0xa4e4c03ea4efda08,
> released from the list
> (9) eap : Peer sent MSCHAPv2 (26)
> (9) eap : EAP MSCHAPv2 (26)
> (9) eap : Calling eap_mschapv2 to process EAP data
> (9) eap_mschapv2 : # Executing group from file
> /etc/raddb/sites-enabled/inner-tunnel
> (9) eap_mschapv2 :  Auth-Type MS-CHAP {
> (9) mschap : Creating challenge hash with username: dumm
> (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password
> (9) mschap : FAILED: MS-CHAP2-Response is incorrect
> (9)   [mschap] = reject
> (9)  } # Auth-Type MS-CHAP = reject
> (9) eap : Freeing handler
> (9)   [eap] = reject
> (9)  } #  authenticate = reject
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (9)  Post-Auth-Type REJECT {
> (9) ldap :      expand: "." -> '.'
> (9) ldap :      expand: "Authenticated at %S" -> 'Authenticated at
> 2013-12-18 09:16:37'
> rlm_ldap (ldap): Reserved connection (2)
> (9) ldap : Using user DN from request "cn=Dumm,ou=test1,ou=test,o=org"
> (9) ldap : Waiting for bind result...
> (9) ldap : Bind successful
> (9) ldap : Modifying object with DN "cn=Dumm,ou=test1,ou=test,o=org"
> (9) ldap : Waiting for modify result...
> rlm_ldap (ldap): Released connection (2)
> (9)   [ldap] = reject
> (9)  } # Post-Auth-Type REJECT = reject
> } # server inner-tunnel
> (9) eap_peap : Got tunneled reply code 3
>          MS-CHAP-Error = '\013E=691 R=1'
>          EAP-Message = 0x040b0004
>          Message-Authenticator = 0x00000000000000000000000000000000
> (9) eap_peap : Got tunneled reply RADIUS code 3
>          MS-CHAP-Error = '\013E=691 R=1'
>          EAP-Message = 0x040b0004
>          Message-Authenticator = 0x00000000000000000000000000000000
> (9) eap_peap : Tunneled authentication was rejected
> (9) eap_peap : FAILURE
> (9) eap : New EAP session, adding 'State' attribute to reply
> 0x4c9dbfee4591a60a
> (9)   [eap] = handled
> (9)  } #  authenticate = handled
> Sending Access-Challenge of id 121 from 139.14.1.56 port 1812 to
> 139.14.200.6 port 32770
>          EAP-Message =
> 0x010c002b1900170301002042ce42556a179e73d4a55cd52bbf954cb5b0bce96996e4442f47
> 2d1e5257185a Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4c9dbfee4591a60a5d313de2c42289f5
> (9) Finished request 9.
> 
> (10) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP
> sub-module failed
> 
> Hubert

As far as I can see, you need the NT-Password for that user, if you use 
mschapv2:

> (9) mschap : Creating challenge hash with username: dumm
> (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password
> (9) mschap : FAILED: MS-CHAP2-Response is incorrect

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131218/819a9214/attachment.pgp>

More information about the Freeradius-Users mailing list