Phil Mayers wrote:
Christophe Gravier wrote:
My password are not stored in LDAP in clear text but hashed using SHA algorythm, so this won't work ;-(
Ok, let's take a breath. First things first:
If your passwords are in SHA (which they are) your Radius server will ONLY be able to answer PAP requests.
The very first log you sent in this thread indicates you have ChilliSpot set to use CHAP:
rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password". modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user.
'''"Cannot use "CHAP-Password"''' - indicates the request (from ChilliSpot) came in with CHAP credentials.
First, fix that. See here:
http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
Next, since you have SHA passwords and can only answer PAP, you have two choices:
1. Extract the SHA password and add it to the config items, then configure the Radius servers PAP module to check it:
modules { pap { encryption_scheme = sha1 } ldap { # settings go here } }
authorize { preprocess ldap } authenticate { Auth-Type PAP { pap } }
HOWEVER - this may not work. The "SHA" that your LDAP server uses may be slightly different (salting, keying) than the SHA FreeRadius uses.
Much more likely to trip you up though, is when "ldap" matches in authorize, it will set Auth-Type = LDAP, so you either need to disable that or otherwise "make it work" and there are about 6 different ways of doing that. The most obvious would be to replace the above with:
modules { as before } authorize { as before } authenticate { Auth-Type LDAP { pap } }
I want to make "set Auth-Type = LDAP" working by making this Auth-Type use the pap configuration. (correct me If I'm wrong). I followed what you advises: - configure chilli uamsecret and uampassword) - put pap configuration in module section - check ldap configration in module - put ldap in authorize - put Auth-Type LDAP { pap } in authentificate. Now things got through pap indeed, but I'm told: rlm_pap: No password (or empty password) to check against for for user gravier.christophe I think I totally misunderstand your sentence: "Extract the SHA password and add it to the config items". I thought it means to add the mapping "checkItem User-Password userPassword" in ldap.attrmap (where userPassword is my attribute for SHA password). As it didn't work I used the "password_attribute" conf entry in ldap configuration (module section), but as I expected it has the same consequence. Could you please, be more precise about the extraction of SHA password ? Is there an additional conf entry for pap in module section ? Here is the complete trace: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: checking if remote access for gravier.christophe is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "gravier.christophe", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 158 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by "gravier.christophe" with password < here the trace prints my password in plain text, normal ? > rlm_pap: No password (or empty password) to check against for for user gravier.christophe modcall[authenticate]: module "pap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0
But it might not work. Alternatively and probably simpler (but less formally correct) is the 2nd method:
2. Configure the LDAP module to find the user, set Auth-Type==LDAP then authenticate the user via simple bind:
authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } }
...and assuming the "ldap" modules is setup correctly, what will happen is:
A. authorize called 1. preprocess called 2. suffix realm called - no-op probably 3. files called - no-op probably but DO NOT SET Auth-Type 4. ldap called - search succeeds, and "Ldap-UserDN" is set, and "Auth-Type" set to "LDAP"
B. authenticate called 1. Auth-Type == LDAP, so "ldap" called and simple bind performed
And it WILL WORK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html