v3.1.x - Directory specific admonitions

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat Jan 30 02:18:32 CET 2016


Added some basic directory fingerprinting...

rlm_ldap (ldap) - Opening additional connection (0), 1 of 24 pending slots used
rlm_ldap (ldap) - Connecting to ldap://192.168.43.57:389
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
rlm_ldap (ldap) - Waiting for search result...
rlm_ldap (ldap) - Directory type: OpenLDAP

if (!fr_pair_find_by_num(request->config, 0, PW_CLEARTEXT_PASSWORD, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_NT_PASSWORD, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_USER_PASSWORD, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_PASSWORD_WITH_HEADER, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_CRYPT_PASSWORD, TAG_ANY)) {
	if (!inst->directory->cleartext_password) switch (inst->directory->type) {
		case LDAP_DIRECTORY_ACTIVE_DIRECTORY:
			RWDEBUG("!!! Found map between LDAP attribute and a FreeRADIUS password attribute");
			RWDEBUG("!!! Active Directory does not allow passwords to be read via LDAP");
			RWDEBUG("!!! Remove the password map and either:");
			RWDEBUG("!!!  - List %s in the authenticate section, and set attribute "
				"&control:Auth-Type := '%s' (pap only)", inst->name, inst->name);
			RWDEBUG("!!!  - Configure authentication via ntlm_auth (mschapv2 only)");
			RWDEBUG("!!!  - Configure authentication via wbclient (mschapv2 only)");
			break;

		case LDAP_DIRECTORY_EDIRECTORY:
			RWDEBUG("!!! Found map between LDAP attribute and a FreeRADIUS password attribute");
			RWDEBUG("!!! eDirectory does not allow passwords to be retrieved via LDAP search");
			RWDEBUG("!!! Remove the password map and either:");
			RWDEBUG("!!!  - Set 'edir = yes' and enable the universal password feature on your "
				"eDir server (recommended)");
			RWDEBUG("!!!  - List %s in the authenticate section, and set attribute "
				"&control:Auth-Type := '%s' (pap only)", inst->name, inst->name);
			break;

		default:
		no_password:
			if (!inst->admin_identity) {
				RWDEBUG("No \"known good\" password added.  Ensure \"%s\" has permission to "
					"read the user's password attribute", inst->admin_identity);
			} else {
				RWDEBUG("No \"known good\" password added.  Set 'identity' to the dn of an "
					"account that has permission to read the user's password attribute");
			}

			break;
	} else goto no_password;
}

The first user to post either of those messages to the list earns an instaban ;)

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160129/7e150a57/attachment.sig>


More information about the Freeradius-Users mailing list