lists.freeradius.org
Sign In Sign Up
Manage this list Sign In Sign Up

Keyboard Shortcuts

Thread View

  • j: Next unread message
  • k: Previous unread message
  • j a: Jump to all threads
  • j l: Jump to MailingList overview
thread

Re:

wessam seleem

27 Sep 2009 27 Sep '09
8:34 a.m.

Dear Thor and Ivan, Thanks for your support. I would like to notice that I have the same configuration in a server that has freeradius-1.1.7-1 installed and it is working fine. I want to upgrade. That is why I am testing freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1 and 2.1.6-2 configuration files that I should put it in my consideration? Thor, I don't have the same output in the debug mode. I have what you can see below: ++[ldap] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using clear text password "$5@Hfgusllj%$#kasjs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Dear Ivan and Thor, As you can see the problem that I am sending a clear text password and the radius doesn't convert it to encrypted one. I want my radius to take a clear text password and encrypt it then compare it with the encrypted one in my ldap. Please let me know if I should clarify more or if you need more info. Thanks again for your support. Regards, On Thu, Sep 24, 2009 at 3:05 PM, Thor Spruyt <thor.spruyt@telenet.be> wrote:

...

Hi,

I tried to get this working also and I found that if you let the ldap module *not* check the password_header, then the password incl. the header is put in the User-Password attribute. If you then use auto_header = yes for the pap module, it should figure out automatically to do crypt... unless the uppercase CRYPT is causing issues...

Here's some sample debug output to check your setup: [ldap] Password header not found in password {crypt}XXXXXXXXXXX for user test [ldap] Added User-Password = {crypt}XXXXXXXXXXX in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- group returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "xxxx" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok

Regards, Thor.

...

----- Oorspronkelijk bericht ----- Van : wessam seleem [mailto:wessam.seleem@gmail.com] Verzonden : donderdag , september 24, 2009 02:16 PM Aan : tnt@kalik.net, 'FreeRadius users mailing list' Onderwerp : Re: "known good" error

Thanks Ivan for your reply. Here is the ldap configuration section:

ldap { server = "x.x.x.x" identity = "cn=username" password = password basedn = "ou=email,o=data,c=eg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_header = "{CRYPT}" ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5

tls { start_tls = no }

profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword }

and here is the debug message

++[ldap] returns ok Found Auth-Type = PAP

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!

...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0

Thanks for your support. Wessam

On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt@kalik.net> wrote:

...
...

I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X".

Replacing User-Password in config items with Cleartext-Password. !!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

...
...

!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!

Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login.

Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug.

Ivan Kalik Kalik Informatika ISP

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Attachments:

  • attachment.html (text/html — 8.0 KB)
0 0
Reply
Sign in to reply online Use email software

Back to the thread

Back to the list

HyperKitty Powered by HyperKitty version 1.3.12.