Hello,<br><br>I'm using freeradius 2.1.10 and I want to use ldap like a backend in authorize section to take userPassword attribute (unix crypt) to authenticate the user.<br><br>My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request.<br>
<br>Is this posible?<br><br>What are my posibilities?<br><br>Here is my actual configuration in my test:<br><br>LDAP MODULE<br><br>ldap ldapPerson{<br> server = "ldap.xxxx"<br> basedn = "ou=people,dc=unex,dc=es"<br>
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br> ldap_connections_number = 5<br> timeout = 4<br> timelimit = 3<br> net_timeout = 1<br> tls {<br> start_tls = no<br> }<br> dictionary_mapping = ${confdir}/ldapPerson.attrmap<br>
edir_account_policy_check = no<br> set_auth_type = yes<br>}<br><br>SERVER<br><br>server test{<br><br>authorize {<br> suffix<br> files<br> ldapPerson<br> expiration<br> pap<br>}<br><br>authenticate {<br> Auth-Type PAP {<br>
pap<br> }<br>}<br><br>}<br><br><br>DEBUG<br><br>rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201, length=58<br> User-Name = "<a href="mailto:aigallardo@unex.es">aigallardo@unex.es</a>"<br>
User-Password = "pass"<br>server test {<br># Executing section authorize from file /etc/freeradius/sites-enabled/test<br>+- entering group authorize {...}<br>[suffix] Looking up realm "<a href="http://unex.es">unex.es</a>" for User-Name = "<a href="mailto:aigallardo@unex.es">aigallardo@unex.es</a>"<br>
[suffix] Found realm "<a href="http://unex.es">unex.es</a>"<br>[suffix] Adding Stripped-User-Name = "aigallardo"<br>[suffix] Adding Realm = "<a href="http://unex.es">unex.es</a>"<br>[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>[files] users: Matched entry DEFAULT at line 33<br>++[files] returns ok<br>[ldapPerson] performing user authorization for aigallardo<br>[ldapPerson] expand: %{Stripped-User-Name} -> aigallardo<br>
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo)<br>[ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es<br> [ldapPerson] ldap_get_conn: Checking Id: 0<br>
[ldapPerson] ldap_get_conn: Got Id: 0<br> [ldapPerson] attempting LDAP reconnection<br> [ldapPerson] (re)connect to XXXXX :389, authentication 0<br> [ldapPerson] bind as / to XXXX :389<br> [ldapPerson] waiting for bind result ...<br>
[ldapPerson] Bind was successful<br> [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo)<br>[ldapPerson] No default NMAS login sequence<br>[ldapPerson] looking for check items in directory...<br>
[ldapPerson] looking for reply items in directory...<br> [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez"<br>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>
[ldapPerson] user aigallardo authorized to use remote access<br> [ldapPerson] ldap_release_conn: Release Id: 0<br>++[ldapPerson] returns ok<br>++[expiration] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user<br>Failed to authenticate the user.<br>} # server test<br><br clear="all"><br><br>Thank you very much and sorry for my eglish.<br>
<br><br>++ Ana Gallardo Gómez ++<br><br><br>