Ldap + freeradius... Again

Alan DeKok aland at deployingradius.com
Fri Mar 15 03:14:38 CET 2013 

fernando.sg1 at gmail.com wrote:
> *now i've a problem, and this is making me crazy!*
> *i change the /module/LDAP and now i can authenticate using plaintext or
> when i use the passwordwith {crypt}*
>
> *but when i try to use {md5} this dont work!*

  You edited the configuration file and broke it.  Don't do that.

> /rad_recv: Access-Request packet from host 127.0.0.1 port 34019, id=41,
> length=57
> User-Name = "user3"
> User-Password = "123"
> NAS-IP-Address = 200.131.96.47
> NAS-Port = 10
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> [ldap] performing user authorization for user3
> [ldap] expand: (uid=%u) -> (uid=user3)
> [ldap] expand: dc=xxxxxxx,dc=edu,dc=br -> dc=xxxxxxx,dc=edu,dc=br
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in dc=xxxxxxx,dc=edu,dc=br, with filter
> (uid=user3)
> [ldap] checking if remote access for user3 is allowed by uid
> [ldap] Added MD5-Password = ICy5YqxZB1uWSwcVLSNLcA== in check items
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] userPassword -> Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> [ldap] looking for reply items in directory...
> [ldap] user user3 authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok

  So... "ldap" is pretty much the only module listed in the "authorize"
section.

  Why?  Just... why?  The comments at the top of the file you edited
explain that butchering it is wrong.

> ++[expiration] returns noop
> ++[logintime] returns noop

  The "pap" module should be listed here.

> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user

  Because you broke the default configuration.

> sorry my poor english and if my doubt is too obvious, but i'm trying to
> solve that have 3 days and nothing.

  You're working VERY HARD to destroy the default configuration.

  If you plan on cooking a meal, you *don't* throw all of the food on
the floor and stand on it.  You follow a recipe.

  Throw away EVERYTHING you did.  It's wrong.

  Then, configure the "ldap" module.

  The uncomment references to "ldap" in raddb/sites-available/default.

  It WILL WORK.

  The entire problem here is that you're putting huge amounts of work
into breaking the server, and then acting surprised that it's broken.
You would have had this working 3 days ago if you had just followed the
documentation.

  Alan DeKok.

More information about the Freeradius-Users mailing list