I think you should use mschapv2 with smbldap-tools for eg. Windows uses MSCHAPv2 present in SambaNTPassword at LDAP. On 05/12/13 21:38, "P K" <getpkme@gmail.com> wrote:
Hi,
I'm using openldap and phpldapadmin to create account. The interface allows me to store "clear" password. When I do an ldapsearch commandline, I get base64 password. I don't see an option in phpldapadmin to store "clear-text" type.
I've configured freeradius to use ldap and I'm using radtest to test but chap always fails. Is it failing because of base64? It seems to have decoded fine looking at the logs. Why is CHAP failing? Please help.
Here's my log.
radtest -t chap boris password01 localhost 0 testing123 Sending Access-Request of id 74 to 127.0.0.1 port 1812 User-Name = "boris" CHAP-Password = 0x4ab32d3fc82d3d59528ca82338d3ed40aa NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=74, length=20
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 37517, id=74, length=58 User-Name = "boris" CHAP-Password = 0x4ab32d3fc82d3d59528ca82338d3ed40aa NAS-IP-Address = 127.0.1.1 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20131205 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20131205 [auth_log] expand: %t -> Thu Dec 5 23:31:12 2013 ++[auth_log] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "boris", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] expand: %{NAS-IP-Address} -> 127.0.1.1 [files] expand: %{NAS-IP-Address} -> 127.0.1.1 [files] users: Matched entry DEFAULT at line 23 ++[files] returns ok [ldap] performing user authorization for boris [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> boris [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=boris) [ldap] expand: dc=example,dc=int -> dc=example,dc=int [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 127.0.0.1:389, authentication 0 [ldap] bind as cn=admin,dc=example,dc=int/P0intBlank to 127.0.0.1:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=int, with filter (uid=boris) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "password01" [ldap] looking for reply items in directory... [ldap] user boris authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Failed to decode Password-With-Header = "password01" [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = CHAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group CHAP {...} [chap] login attempt by "boris" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> boris attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 74 to 127.0.0.1 port 37517 Waking up in 4.9 seconds. Cleaning up request 0 ID 74 with timestamp +22 Ready to process requests. ^C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html