Now I'm testing FR3.0 with LDAP. PEAP and NT-Password in a LDAP database works now well, but I have a problem with EAP-TTLS. In FR2.2 after authorizing a user in the authorize section of inner-tunnel, Auth-Type=LDAP is set and then authentication goes to the LDAP module. In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module. I can't find a place in the FR3.0 source, where Auth-Type=LDAP is set - in a few comments it is mentioned that such a setting happens automatically. Am I missing something? Maja -- Maja Gorecka-Wolniewiczmgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
Maja Wolniewicz wrote:
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module.
That's what's supposed to happen when you use LDAP as a database.
I can't find a place in the FR3.0 source, where Auth-Type=LDAP is set - in a few comments it is mentioned that such a setting happens automatically. Am I missing something?
Nope. You're supposed to let LDAP be a database, and FreeRADIUS be an authentication server. Alan DeKok.
Hi,
Nope. You're supposed to let LDAP be a database, and FreeRADIUS be an authentication server.
so, in previous release, in authorize, the 'ldap' call would set the authentication method to LDAP..... in the new release I see the warning/text above the "Auth-Type LDAP" line... theres a conditional -ldap in authorize - which, if ldap module is correctly configured would still set authentication type? I assume that the CORRECT and really OLY way that you should be doing things now is use ldap in authorize to pull out the password entry and then the Auth-Type PAP part of authenicate kicks in and uses it....is that correct (because I cant see the PAP in authenticate kicking off a 'grab from LDAP' exercise... this means that the old 'check user in authorize' then 'check password in authenticate' model has been altered... alan
A.L.M.Buxey@lboro.ac.uk wrote:
so, in previous release, in authorize, the 'ldap' call would set the authentication method to LDAP.....
*Sometimes*. If you configured the module to do that. For 2.x, it didn't always set "Auth-Type = LDAP"
in the new release I see the warning/text above the "Auth-Type LDAP" line... theres a conditional -ldap in authorize - which, if ldap module is correctly configured would still set authentication type?
No. It's in the "authorize" section. It will do LDAP authorization. Like grabbing the userPassword entry from LDAP.
I assume that the CORRECT and really OLY way that you should be doing things now is use ldap in authorize to pull out the password entry
Yes.
and then the Auth-Type PAP
Done by the PAP module.
part of authenicate kicks in and uses it....is that correct (because I cant see the PAP in authenticate kicking off a 'grab from LDAP' exercise... this means that the old 'check user in authorize' then 'check password in authenticate' model has been altered...
Yes. It's been altered for 4-5 years now. However, people don't tend to update their configurations. And third-party "howto's" don't get updated, either. Alan DeKok.
W dniu 12.08.2013 21:36, Alan DeKok pisze:
Maja Wolniewicz wrote:
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module. That's what's supposed to happen when you use LDAP as a database. Is there a way to decide which attribute is used in the PAP module? I have in the ldap module config update { control:NT-Password := 'ntPassword' control:Password-With-Header := 'userPassword' } and the PAP module uses NT encryption. when I remove control:NT-Password line then CRYPT password is used I would like the PAP module to use userPassword, I need ntPassword in the ldap module for PEAP authentication.
Maja
I can't find a place in the FR3.0 source, where Auth-Type=LDAP is set - in a few comments it is mentioned that such a setting happens automatically. Am I missing something? Nope. You're supposed to let LDAP be a database, and FreeRADIUS be an authentication server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Maja Gorecka-Wolniewicz mgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
On 12 Aug 2013, at 21:47, Maja Wolniewicz <mgw@umk.pl> wrote:
W dniu 12.08.2013 21:36, Alan DeKok pisze:
Maja Wolniewicz wrote:
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module. That's what's supposed to happen when you use LDAP as a database. Is there a way to decide which attribute is used in the PAP module? I have in the ldap module config update { control:NT-Password := 'ntPassword' control:Password-With-Header := 'userPassword' } and the PAP module uses NT encryption. when I remove control:NT-Password line then CRYPT password is used I would like the PAP module to use userPassword, I need ntPassword in the ldap module for PEAP authentication.
Why? and no. Shouldn't they both be in sync? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Dnia 12 sie 2013 o godz. 22:57 Arran Cudbard-Bell <a.cudbardb@freeradius.org> napisał(a):
On 12 Aug 2013, at 21:47, Maja Wolniewicz <mgw@umk.pl> wrote:
W dniu 12.08.2013 21:36, Alan DeKok pisze:
Maja Wolniewicz wrote:
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module. That's what's supposed to happen when you use LDAP as a database. Is there a way to decide which attribute is used in the PAP module? I have in the ldap module config update { control:NT-Password := 'ntPassword' control:Password-With-Header := 'userPassword' } and the PAP module uses NT encryption. when I remove control:NT-Password line then CRYPT password is used I would like the PAP module to use userPassword, I need ntPassword in the ldap module for PEAP authentication.
Why? and no. Shouldn't they both be in sync?
In production yes, but for testing purposes sometimes we are using different passwords. Maja
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
On 12 Aug 2013, at 22:28, Maja Wolniewicz <mgw@umk.pl> wrote:
Dnia 12 sie 2013 o godz. 22:57 Arran Cudbard-Bell <a.cudbardb@freeradius.org> napisał(a):
On 12 Aug 2013, at 21:47, Maja Wolniewicz <mgw@umk.pl> wrote:
W dniu 12.08.2013 21:36, Alan DeKok pisze:
Maja Wolniewicz wrote:
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module. That's what's supposed to happen when you use LDAP as a database. Is there a way to decide which attribute is used in the PAP module? I have in the ldap module config update { control:NT-Password := 'ntPassword' control:Password-With-Header := 'userPassword' } and the PAP module uses NT encryption. when I remove control:NT-Password line then CRYPT password is used I would like the PAP module to use userPassword, I need ntPassword in the ldap module for PEAP authentication.
Why? and no. Shouldn't they both be in sync?
In production yes, but for testing purposes sometimes we are using different passwords.
Remove the one you don't want when you've figure out auth type. update control { NT-Password !* ANY }
W dniu 12.08.2013 21:36, Alan DeKok pisze:
Maja Wolniewicz wrote:
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module. That's what's supposed to happen when you use LDAP as a database.
I can't find a place in the FR3.0 source, where Auth-Type=LDAP is set - in a few comments it is mentioned that such a setting happens automatically. Am I missing something? Nope. You're supposed to let LDAP be a database, and FreeRADIUS be an authentication server. That solution works well but the really drawback is that userPassword attributes have to be readable by a user. Our freeradius server uses a few of LDAP databases (depending on the realm) and not all of them are under our control. These without our control offer only the EAP-TTLS authentication so there is no need to read a password attribute, only binding is allowed. I doubt we could convince administrators of these databases to open access to the userPassword attribute.
Maja
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Maja Gorecka-Wolniewicz mgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
W dniu 13.08.2013 10:41, A.L.M.Buxey@lboro.ac.uk pisze:
Hi,
Our freeradius server uses a few of LDAP databases (depending on the realm) and not all of them are under our control. use different ldap modules for different realms?
if (%{realm} == "specialone\.pl") { ldap-specialone }
etc ? but there is no way to use the LDAP database in FR3.0 without enabling read access to a password attribute.
Maja
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Maja Gorecka-Wolniewicz mgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
On 13 Aug 2013, at 09:48, Maja Wolniewicz <mgw@umk.pl> wrote:
W dniu 13.08.2013 10:41, A.L.M.Buxey@lboro.ac.uk pisze:
Hi,
Our freeradius server uses a few of LDAP databases (depending on the realm) and not all of them are under our control. use different ldap modules for different realms?
if (%{realm} == "specialone\.pl") { ldap-specialone }
etc ? but there is no way to use the LDAP database in FR3.0 without enabling read access to a password attribute.
Of course there is. The authenticate method of the ldap module does bind as user. The success of the bind is an indication of whether authentication succeeded. You need a cleartext copy of the password from the user though. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
W dniu 13.08.2013 10:50, Arran Cudbard-Bell pisze:
On 13 Aug 2013, at 09:48, Maja Wolniewicz <mgw@umk.pl> wrote:
W dniu 13.08.2013 10:41, A.L.M.Buxey@lboro.ac.uk pisze:
Hi,
Our freeradius server uses a few of LDAP databases (depending on the realm) and not all of them are under our control. use different ldap modules for different realms?
if (%{realm} == "specialone\.pl") { ldap-specialone }
etc ? but there is no way to use the LDAP database in FR3.0 without enabling read access to a password attribute. Of course there is. The authenticate method of the ldap module does bind as user. The success of the bind is an indication of whether authentication succeeded. You need a cleartext copy of the password from the user though. Thanks Arran, it works as I expected when I set Auth-Type := LDAP in the authorize section.
Maja
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Maja Gorecka-Wolniewicz mgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
I have the next problem with the rlm_ldap module in FR3.0. The server doesn't start, when it can't connect to a LDAP server defined in the ldap module. It should start and set up the connection when a LDAP server will be available (as it was in FR2.x). Maja -- Maja Gorecka-Wolniewicz mgw@umk.pl Uczelniane Centrum Information & Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
Maja Wolniewicz wrote:
I have the next problem with the rlm_ldap module in FR3.0. The server doesn't start, when it can't connect to a LDAP server defined in the ldap module. It should start and set up the connection when a LDAP server will be available (as it was in FR2.x).
To get the same behavior as 2.x, set "start = 0" in the pool. Alan DeKok.
Hi,
In FR3.0 the Auth-Type=LDAP isn't set in the rlm_ldap module, the authorize section ends with Auth-Type=PAP, so authentication goes to the PAP module.
I think there was another case about this recently on the mailing list. (cant recall the resolution or if its still pending...) alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Maja Wolniewicz