Check LDAP password with SHA512

Will W. will at damagesinc.net
Fri Jan 29 01:27:27 CET 2016 

Ok, I just built 3.1.0 to reproduce the error for /dev/random
 tls {
    ca_file = "/usr/local/etc/raddb/certs/current/rootCA.pem"
    ca_path = "/usr/local/etc/raddb/certs/current"
    certificate_file = "/usr/local/etc/raddb/certs/current/radius.crt"
    private_key_file = "/usr/local/etc/raddb/certs/current/radius.key"
    random_file = "/dev/random"
Configuration file /dev/random is globally writable.  Refusing to start due
to insecure configuration.
/usr/local/etc/raddb/mods-enabled/ldap[8]: Invalid configuration for module
"ldap"

so what I gather about the last few e-mail was that I should not change the
permissions on things in the /dev folder.

is there a fix for this?


Will


On Thu, Jan 28, 2016 at 9:53 AM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> > On Jan 28, 2016, at 3:49 AM, Will W. <will at damagesinc.net> wrote:
> >
> > OK this is getting fun, two systems up, the first one I get working wins.
> >
> > - original system: SEL 12.1 Freeradius install via repo binaries 3.0.4
> > I'm familiar with 2.x but 3.x has a few differences.
> > I am guessing that this needs to be changed in
> > /etc/raddb/sites-enabled/default
> > Emailing from my phone is a bit painful.
> >
> > -second system after getting the email about Freeradius 3.1.0 with patch
> > for crypt. Ubuntu x86_64 14.04 cloned from github about three hours ago.
> > Freeradius 3.1.0
> > Still trying to figure out what is wrong with my /dev/urandom file set in
> > /etc/freeradius/mods-enabled/ldap
> >
> > Seems like on both RHEL 7.x and Ubuntu 14.04 when I compile from source
> and
> > run either freeradius -X the first thing that it complained about was:
> > random_file = /dev/urandom is world writable. Quick chmod 644 and then I
> > get an unknown error trying to set the random_file.
> >
> > Is there a fix for this?
>
> Unknown error means ldap_set_option returned an error without setting an
> error
> on the ldap handle.
>
> Reading through the OpenLDAP code, it seems that this particular option is
> only
> available as a global, so we're not allowed to pass in an ldap handle.
>
> This is undocumented behaviour.
>
> I'll push a fix.
>
> As for module ordering, edit sites-available/default
>
> Remove everything from the authorize section, and just list the modules
>
> ldap
> pap
>
> in that order.
>
> Remove everything from the auth section, and just list pap.
>
> It should work.
>
> -Arran
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list