Alan DeKok wrote:
password to the server. The server looks up the user in a database, and (perhaps) finds a SHA hashed password. The server then SHA hashes the password supplied by the client, and compares it to the SHA password from the database.
In that case, something is *really* wrong with my setup and I have no idea why. I can only authenticate if the password in OpenLDAP is cleartext, but never if it's hashed. debug output, radiud.conf (modules ldap section), sites-enable/default follows. ### debug ### rad_recv: Access-Request packet from host 127.0.0.1 port 62806, id=99, length=57 User-Name = "user1" User-Password = "abc123" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize ++[preprocess] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for user1 expand: (uid=%u) -> (uid=user1) expand: dc=---,dc=edu,dc=my -> dc=---,dc=edu,dc=my rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=---,dc=edu,dc=my/### to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=---,dc=edu,dc=my, with filter (uid=user1) rlm_ldap: checking if remote access for user1 is allowed by radiusFilterId rlm_ldap: Added SHA1-Password = iEPX+SQWIR3p67lj/0zigSWTKHg= in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg=" rlm_ldap: looking for reply items in directory... rlm_ldap: LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = "1 " rlm_ldap: user user1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [user1/abc123] (from client localhost port 0) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> user1 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 99 to 127.0.0.1 port 62806 Finished request 0. ### radiusd.conf ### modules { pap { auto_header = yes } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { } $INCLUDE eap.conf mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes } ldap { server = "127.0.0.1" identity = "cn=Manager,dc=iiu,dc=edu,dc=my" password = alamak basedn = "dc=iiu,dc=edu,dc=my" base_filter = "(objectclass=radiusprofile)" access_attr = "radiusFilterId" authtype = ldap ldap_connections_number = 5 timeout = 20 timelimit = 15 net_timeout = 10 tls { } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = yes set_auth_type = yes auto_header = yes password_header = "{SHA}" password_attribute = userPassword } ### sites-enabled/default ### authorize { preprocess ldap chap mschap suffix eap #files } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix } accounting { detail unix radutmp attr_filter.accounting_response } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html