On Tue, Dec 30, 2014 at 5:00 PM, Alan DeKok <aland@deployingradius.com> wrote:

> Full output of freeradius -X after command
>
>   [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx)
> [local] checking if remote access for abx is allowed by dialupAccess
> [local] Added User-Password = 1D*************************************9B in check items

  And… that’s the issue.  You’ve configured it to get the User-Password from LDAP.


Yes, but how to prevent it? I have nothing about User-Password in freeradius configs:


=================================================================
/etc/freeradius# grep -R User-Password *
attrs.pre-proxy:#    User-Password =* ANY,
attrs.pre-proxy:    #User-Password =* ANY,
eap.conf:        #  User-Password, or the NT-Password attributes.
eap.conf:        #  the User-Password.
eap.conf:            #  is put into a User-Password attribute,
eap.conf:            #  the module will look for a User-Password
experimental.conf:    #  packets containing a User-Password attribute.
modules/ntlm_auth:    program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
modules/smsotp:#  The module does not check the User-Password, this should be done with
modules/detail:    # Certain attributes such as User-Password may be
modules/detail:        # User-Password
modules/sql_log:     ('%{User-Name}', '%{User-Password:-Chap-Password}',         \
modules/detail.log:        User-Password
modules/detail.log:        # User-Password
modules/pap:#  In this case, the module will look inside of the User-Password
modules/ldap:#  Access-Request packet contains a clear-text User-Password
modules/ldap:    #  By default, if the packet contains a User-Password,
root@ukv69:/etc/freeradius#
===================================================================

Everything is commented, exclude ntlm_auth and detail.log, I believe both are not what I have to change.


ldap.attrmap:

===================================================================

checkItem    $GENERIC$            radiusCheckItem
replyItem    $GENERIC$            radiusReplyItem

checkItem    Auth-Type            radiusAuthType
checkItem    Simultaneous-Use        radiusSimultaneousUse
checkItem    Called-Station-Id        radiusCalledStationId
checkItem    Calling-Station-Id        radiusCallingStationId
checkItem    LM-Password            lmPassword
checkItem    NT-Password            ntPassword
checkItem    LM-Password            sambaLmPassword
checkItem    NT-Password            sambaNtPassword
checkItem    LM-Password            dBCSPwd
checkitem    Password-With-Header        userPassword
checkItem    SMB-Account-CTRL-TEXT        acctFlags
checkItem    Expiration            radiusExpiration
checkItem    NAS-IP-Address            radiusNASIpAddress

====================================================================



> [local] No default NMAS login sequence
> [local] looking for check items in directory...
>   [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42

  That means it’s not using the NT-Password.

> Found Auth-Type = PAP
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!    Replacing User-Password in config items with Cleartext-Password.     !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!! Please update your configuration so that the "known good"               !!!
> !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  It helps to READ these messages and fix the problem.  If you had done that, it would have worked.

I've tried, but there is nothing about User-Password in configs, so I can not replace it with Cleartext-Password.