On Jan 27, 2016, at 5:13 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jan 27, 2016, at 5:08 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jan 27, 2016, at 4:36 PM, Will W. <will@damagesinc.net> wrote:
Question With Start_TLS yes this is enabling the Freeradius to connect to the LDAP server over a TLS tunnel correct?
Yes, the connection starts off as plaintext, then the ldap client requests to establish a TLS tunnel.
Map looks OK. You need to run ldapsearch with this invocation to see if the userPassword is being returned:
ldapsearch -H ldap://ldap.myhost.com:389 —ZZ x -b "ou=Users,dc=myhost,dc=com" -D "uid=demouser,ou=Users,dc=myhost,dc=com" -w testing123 "(objectClass=posixGroup)" userPassword
Here are the headers and what they map to:
/* * For auto-header discovery. * * @note Header comparison is case insensitive. */ static const FR_NAME_NUMBER header_names[] = { { "{clear}", PW_CLEARTEXT_PASSWORD }, { "{cleartext}", PW_CLEARTEXT_PASSWORD }, { "{md5}", PW_MD5_PASSWORD }, { "{base64_md5}", PW_MD5_PASSWORD }, { "{smd5}", PW_SMD5_PASSWORD }, { "{crypt}", PW_CRYPT_PASSWORD }, #ifdef HAVE_OPENSSL_EVP_H /* * It'd make more sense for the headers to be * ssha2-* with SHA3 coming soon but we're at * the mercy of directory implementors. */ { "{sha2}", PW_SHA2_PASSWORD }, { "{sha224}", PW_SHA2_PASSWORD }, { "{sha256}", PW_SHA2_PASSWORD }, { "{sha384}", PW_SHA2_PASSWORD }, { "{sha512}", PW_SHA2_PASSWORD }, { "{ssha224}", PW_SSHA2_224_PASSWORD }, { "{ssha256}", PW_SSHA2_256_PASSWORD }, { "{ssha384}", PW_SSHA2_384_PASSWORD }, { "{ssha512}", PW_SSHA2_512_PASSWORD }, #endif { "{sha}", PW_SHA_PASSWORD }, { "{ssha}", PW_SSHA_PASSWORD }, { "{md4}", PW_NT_PASSWORD }, { "{nt}", PW_NT_PASSWORD }, { "{nthash}", PW_NT_PASSWORD }, { "{x-nthash}", PW_NT_PASSWORD }, { "{ns-mta-md5}", PW_NS_MTA_MD5_PASSWORD }, { "{x- orcllmv}", PW_LM_PASSWORD }, { "{X- orclntv}", PW_NT_PASSWORD }, { NULL, 0 } };
You need to call the pap module in authorize after the LDAP module in order to strip the header and perform the conversion.
It also does a bunch of normalisation. It could be you have the modules in the wrong order, pap then ldap when you need ldap then pap.
Finally, you probably want ssha512 not sha512. It'll be more complex to implement, but in reality sha512 will likely give you less protection than ssha. It's fairly trivial to generate rainbow tables, the bigger hash size just means you need more disk space :) Get sha512 working first though, and worry about the salting later. -Arran