Hello again. Ok, now I can authenticate an user using LDAP.<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">I'm using freeradius 2.1.10 and I want to use ldap like a backend in authorize section to take userPassword attribute (unix crypt) to authenticate the user.<br>
</blockquote><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request.
<br></blockquote><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Is this posible?<br></blockquote><div><br>I have read that this is not ok<br>
<br>
<a href="http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html">http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html</a> <br>
<br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">What are my posibilities?<br></blockquote><div><br>I think that what I can do is: <br>
- in authorize section bind like anonymous user and take the public attributes that I need to authorize the user.<br>- in authenticate section bind like the user who want to access<br></div><div> <br>The configuration that work:<br>
<br><br>LDAP MODULE<br><br>ldap ldapPerson{<br> server = "xxx"<br> basedn = "ou=people,dc=unex,dc=es"<br> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"<br> ldap_connections_number = 5<br>
timeout = 4<br> timelimit = 3<br> net_timeout = 1<br> tls {<br> start_tls = no<br> }<br> dictionary_mapping = ${confdir}/ldapPerson.attrmap<br> edir_account_policy_check = no<br> set_auth_type = yes<br>
}<br><br>SERVER<br><br>server test{<br><br>authorize {<br> suffix<br> files<br> ldapPerson<br> expiration<br> update control {<br> Auth-Type := "LDAP"<br> }<br>}<br><br>authenticate {<br> Auth-Type LDAP {<br>
ldapPerson<br> }<br>}<br><br>}<br><br>DEBUG<br><br><br>rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145, length=58<br> User-Name = "<a href="mailto:aigallardo@unex.es">aigallardo@unex.es</a>"<br>
User-Password = "xxxx"<br>server test {<br># Executing section authorize from file /etc/freeradius/sites-enabled/test<br>+- entering group authorize {...}<br>[suffix] Looking up realm "<a href="http://unex.es">unex.es</a>" for User-Name = "<a href="mailto:aigallardo@unex.es">aigallardo@unex.es</a>"<br>
[suffix] Found realm "<a href="http://unex.es">unex.es</a>"<br>[suffix] Adding Stripped-User-Name = "aigallardo"<br>[suffix] Adding Realm = "<a href="http://unex.es">unex.es</a>"<br>[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>[files] users: Matched entry DEFAULT at line 33<br>++[files] returns ok<br>[ldapPerson] performing user authorization for aigallardo<br>[ldapPerson] expand: %{Stripped-User-Name} -> aigallardo<br>
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo)<br>[ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es<br> [ldapPerson] ldap_get_conn: Checking Id: 0<br>
[ldapPerson] ldap_get_conn: Got Id: 0<br> [ldapPerson] attempting LDAP reconnection<br> [ldapPerson] (re)connect to x.x.x.x:389, authentication 0<br> [ldapPerson] bind as / to x.x.x.x:389<br> [ldapPerson] waiting for bind result ...<br>
[ldapPerson] Bind was successful<br> [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo)<br>[ldapPerson] No default NMAS login sequence<br>[ldapPerson] looking for check items in directory...<br>
[ldapPerson] looking for reply items in directory...<br> [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez..."<br>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>
[ldapPerson] user aigallardo authorized to use remote access<br> [ldapPerson] ldap_release_conn: Release Id: 0<br>++[ldapPerson] returns ok<br>++[expiration] returns noop<br>++[control] returns noop<br>Found Auth-Type = LDAP<br>
# Executing group from file /etc/freeradius/sites-enabled/test<br>+- entering group LDAP {...}<br>[ldapPerson] login attempt by "aigallardo" with password "xxxx"<br>[ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es<br>
[ldapPerson] (re)connect to x.x.x.x:389, authentication 1<br> [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/xxxxx to x.x.x.x:389<br> [ldapPerson] waiting for bind result ...<br> [ldapPerson] Bind was successful<br>
[ldapPerson] user aigallardo authenticated succesfully<br>++[ldapPerson] returns ok<br>} # server test<br>Sending Access-Accept of id 145 to x.x.x.x port 48259<br> Nombre-Completo = "Ana-Isabel Gallardo Gomez..."<br>
<br></div></div><br>I don't know if this is the best way to solve my problem, I someone have something better, I would like to know.<br><br>Thank you very much and sorry for my english.<br><br><br><br>++ Ana Gallardo Gómez ++<br>
<br><br>