On Apr 7, 2020, at 5:56 AM, Martin Kozelský <martin.kozelsky@post.cz> wrote:
I am upgrading FreeRADIUS server from 2.2.5 (Debian 8) to 3.0.17 (Centos 8). I use LDAP user authentication against Novell eDirectory, where authentication works in two steps:
1. anonymous searching user in LDAP, 2. binding to LDAP as user with cleartext password, if it is successfull, the authentication&authorization is successfull.
That shouldn't need any magic eDirectory things. Just treat it as a normal LDAP bind. The eDirectory magic is to allow eDirectory to send the clear-text password to FreeRADIUS, for things like MS-CHAP.
It is done by configuration option "edir_account_policy_check=yes"
In new FreeRADIUS I have to use options "edir=yes" & "edir_autz=yes", but Universal Password is required before the step 2. and it fails:
Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Performing search in "o=xxx" with filter "(uid=xxx)", scope "sub" Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Waiting for search result... Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: User object found at DN "cn=xxx,ou=xxx,o=xxx" Mon Apr 6 15:03:15 2020 : ERROR: (0) ldap: Failed to retrieve eDirectory password: (-1631) BER manipulation failed
So you're nod doing an anonymous search, and you're not doing bind as user. Yes, it will fail.
I need to disable Universal Password. In my opinion something as "edir=no" & "edir_autz=yes" can solve it, but it doesn't work. You can see in source file rlm_ldap.c that "edir=no" option disables all eDirectory code block.
Or any advice?
Configure anonymous search. Configure bind as user. Run the "ldap" module in the "authenticate" section. Delete all eDirectory magic from the configuration. Alan DeKok/