FreeRADIUS 3.0.x and user authentification against Novell eDirectory without Universal Password
aland at deployingradius.com
Tue Apr 7 16:31:33 CEST 2020
On Apr 7, 2020, at 5:56 AM, Martin Kozelský <martin.kozelsky at post.cz> wrote:
> I am upgrading FreeRADIUS server from 2.2.5 (Debian 8) to 3.0.17 (Centos
> 8). I use LDAP user authentication against Novell eDirectory, where
> authentication works in two steps:
> 1. anonymous searching user in LDAP,
> 2. binding to LDAP as user with cleartext password, if it is
> successfull, the authentication&authorization is successfull.
That shouldn't need any magic eDirectory things. Just treat it as a normal LDAP bind.
The eDirectory magic is to allow eDirectory to send the clear-text password to FreeRADIUS, for things like MS-CHAP.
> It is done by configuration option "edir_account_policy_check=yes"
> In new FreeRADIUS I have to use options "edir=yes" & "edir_autz=yes",
> but Universal Password is required before the step 2. and it fails:
> Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Performing search in "o=xxx"
> with filter "(uid=xxx)", scope "sub"
> Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Waiting for search result...
> Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: User object found at DN
> Mon Apr 6 15:03:15 2020 : ERROR: (0) ldap: Failed to retrieve
> eDirectory password: (-1631) BER manipulation failed
So you're nod doing an anonymous search, and you're not doing bind as user. Yes, it will fail.
> I need to disable Universal Password. In my opinion something as
> "edir=no" & "edir_autz=yes" can solve it, but it doesn't work. You can
> see in source file rlm_ldap.c that "edir=no" option disables all
> eDirectory code block.
> Or any advice?
Configure anonymous search. Configure bind as user. Run the "ldap" module in the "authenticate" section.
Delete all eDirectory magic from the configuration.
More information about the Freeradius-Users