<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type"/>
<title></title>
</head>
<body>
<p style="margin: 0px;">Hello,</p>
<p style="margin: 0px;"><span> </span></p>
<p style="margin: 0px;"><span>Thanks for the quick response....</span></p>
<p style="margin: 0px;"> </p>
<p style="margin: 0px;"><span>Please note am "using SASL on my LDAP"... If i create a user in ldap (eg 101821 ) server itself i am able to authenticate the user( Please see the debug output "1") . Am facing problem only for those users whom am using SASL mechanism for userPassword (Please see the debug output "2" ) </span></p>
<p style="margin: 0px;"> </p>
<p style="margin: 0px;"><span>Debug output "1"</span></p>
<p style="margin: 0px;"> </p>
rad_recv: Access-Request packet from host 10.168.109.120 port 57709, id=24, length=58<br/>
User-Name = "101821"<br/>
User-Password = "q"<br/>
NAS-IP-Address = 10.1.109.120<br/>
NAS-Port = 0<br/>
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br/>
+- entering group authorize {...}<br/>
++[preprocess] returns ok<br/>
++[chap] returns noop<br/>
++[mschap] returns noop<br/>
++[digest] returns noop<br/>
[suffix] No '@' in User-Name = "101821", looking up realm NULL<br/>
[suffix] No such realm "NULL"<br/>
++[suffix] returns noop<br/>
[eap] No EAP-Message, not doing EAP<br/>
++[eap] returns noop<br/>
++[files] returns noop<br/>
++[smbpasswd] returns notfound<br/>
[ldap] performing user authorization for 101821<br/>
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br/>
[ldap] ... expanding second conditional<br/>
[ldap] expand: %{User-Name} -> 101821<br/>
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=101821)<br/>
[ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in<br/>
[ldap] ldap_get_conn: Checking Id: 0<br/>
[ldap] ldap_get_conn: Got Id: 0<br/>
[ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=101821)<br/>
request done: ld 0x126be520 msgid 4<br/>
[ldap] Added User-Password = q in check items<br/>
[ldap] looking for check items in directory...<br/>
[ldap] looking for reply items in directory...<br/>
[ldap] user 101821 authorized to use remote access<br/>
[ldap] ldap_release_conn: Release Id: 0<br/>
++[ldap] returns ok<br/>
++[expiration] returns noop<br/>
++[logintime] returns noop<br/>
++[pap] returns updated<br/>
Found Auth-Type = PAP<br/>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>
!!! Replacing User-Password in config items with Cleartext-Password. !!!<br/>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>
!!! Please update your configuration so that the "known good" !!!<br/>
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!<br/>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br/>
+- entering group PAP {...}<br/>
<strong><span style="font-size: 14pt;">[pap] login attempt with password "q"</span></strong><br/>
<strong><span style="font-size: 14pt;">[pap] Using clear text password "q"</span></strong><br/>
<strong><span style="font-size: 14pt;">[pap] User authenticated successfully</span></strong><br/>
<strong><span style="font-size: 14pt;">++[pap] returns ok</span></strong><br/>
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default<br/>
+- entering group post-auth {...}<br/>
++[exec] returns noop<br/>
Sending Access-Accept of id 24 to 10.168.109.120 port 57709<br/>
Finished request 2.<br/>
Going to the next request<br/>
Waking up in 4.9 seconds.<br/>
Cleaning up request 2 ID 24 with timestamp +854<br/>
Ready to process requests.<br/>
<br/>
<br/>
Debug output "2"<br/>
<br/>
<br/>
rad_recv: Access-Request packet from host 10.168.109.120 port 54218, id=100, length=58<br/>
User-Name = "105900"<br/>
User-Password = "sbt"<br/>
NAS-IP-Address = 10.1.109.120<br/>
NAS-Port = 0<br/>
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br/>
+- entering group authorize {...}<br/>
++[preprocess] returns ok<br/>
++[chap] returns noop<br/>
++[mschap] returns noop<br/>
++[digest] returns noop<br/>
[suffix] No '@' in User-Name = "105900", looking up realm NULL<br/>
[suffix] No such realm "NULL"<br/>
++[suffix] returns noop<br/>
[eap] No EAP-Message, not doing EAP<br/>
++[eap] returns noop<br/>
++[files] returns noop<br/>
++[smbpasswd] returns notfound<br/>
[ldap] performing user authorization for 105900<br/>
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br/>
[ldap] ... expanding second conditional<br/>
[ldap] expand: %{User-Name} -> 105900<br/>
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=105900)<br/>
[ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in<br/>
[ldap] ldap_get_conn: Checking Id: 0<br/>
[ldap] ldap_get_conn: Got Id: 0<br/>
[ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=105900)<br/>
request done: ld 0x126be520 msgid 3<br/>
[ldap] Added User-Password = {SASL}suresht in check items<br/>
[ldap] looking for check items in directory...<br/>
[ldap] looking for reply items in directory...<br/>
[ldap] user 105900 authorized to use remote access<br/>
[ldap] ldap_release_conn: Release Id: 0<br/>
++[ldap] returns ok<br/>
++[expiration] returns noop<br/>
++[logintime] returns noop<br/>
++[pap] returns updated<br/>
Found Auth-Type = PAP<br/>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>
!!! Replacing User-Password in config items with Cleartext-Password. !!!<br/>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>
!!! Please update your configuration so that the "known good" !!!<br/>
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!<br/>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br/>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br/>
+- entering group PAP {...}<br/>
<span style="font-size: 14pt;"><strong>[pap] login attempt with password "sbt"</strong></span><br/>
<span style="font-size: 14pt;"><strong>[pap] Using clear text password "{SASL}suresht"</strong></span><br/>
<span style="font-size: 14pt;"><strong>[pap] Passwords don't match</strong></span><br/>
++[pap] returns reject<br/>
Failed to authenticate the user.<br/>
Using Post-Auth-Type Reject<br/>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br/>
+- entering group REJECT {...}<br/>
[attr_filter.access_reject] expand: %{User-Name} -> 105900<br/>
attr_filter: Matched entry DEFAULT at line 11<br/>
++[attr_filter.access_reject] returns updated<br/>
Delaying reject of request 1 for 1 seconds<br/>
Going to the next request<br/>
Waking up in 0.9 seconds.<br/>
Sending delayed reject for request 1<br/>
Sending Access-Reject of id 100 to 10.168.109.120 port 54218<br/>
Waking up in 4.9 seconds.<br/>
Cleaning up request 1 ID 100 with timestamp +106<br/>
Ready to process requests.<br/>
<br/>
<br/>
Regards<br/>
<br/>
Vijay<br/>
<br/>
<p style="margin: 0px;"><span> </span></p>
<p style="margin: 0px;"><span> </span></p>
<p style="margin: 0px;"><span> </span></p>
<p style="margin: 0px;"><span> </span></p>
<p style="margin: 0px;"> </p>
<p style="margin: 0px;"><span> </span></p>
<p style="margin: 0px;"> </p>
<div style="margin: 5px 0px 5px 0px;">
On January 17, 2012 at 5:35 PM Phil Mayers <p.mayers@imperial.ac.uk> wrote:<br/>
<br/>
> On 17/01/12 11:55, vijay t wrote:<br/>
> > My LDAP server uses SASL mechanism for authenticating uid/username<br/>
> > against userPassword. How can I integrate this LDAp server with<br/>
> > FreeRadius server and what all configuration need to be changed ???. On<br/>
> > debug, my radius server shows following error. Kindly suggest<br/>
><br/>
> Read this:<br/>
><br/>
> http://deployingradius.com/documents/protocols/compatibility.html<br/>
><br/>
> And this:<br/>
><br/>
> http://deployingradius.com/documents/protocols/oracles.html<br/>
><br/>
> Short version: if you need to use "LDAP BIND", you can only support PAP<br/>
> authentication.<br/>
><br/>
> > [ldap] expand: %{User-Name} -> google<br/>
> > [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=google)<br/>
> > [ldap] expand: ou=Users,dc=cdac,dc=in -> ou=Users,dc=cdac,dc=in<br/>
> > [ldap] ldap_get_conn: Checking Id: 0<br/>
> > [ldap] ldap_get_conn: Got Id: 0<br/>
> > [ldap] performing search in ou=Users,dc=cdac,dc=in, with filter (uid=google)<br/>
> > request done: ld 0x748c7d0 msgid 9<br/>
> > [ldap] object not found<br/>
> > [ldap] search failed<br/>
><br/>
> Your first problem is that the LDAP Search has failed. Fix your LDAP<br/>
> search filter, or ensure the user exists.<br/>
> -<br/>
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br/>
><br/>
> --<br/>
> This message has been scanned for viruses and<br/>
> dangerous content by MailScanner, and is<br/>
> believed to be clean.<br/>
>
</div>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by MailScanner and is
<br />believed to be clean.
</body>
</html>