On Jun 10, 2015, at 12:15 PM, Alan Egerton <eggyal@gmail.com> wrote:
On Wed, Jun 10, 2015 at 1:49 PM, Alan DeKok <aland@deployingradius.com> wrote:
I suggest trying to install 3.0.8. We've put more messages into the module which *should* help track down exactly what's going wrong.
Okay, to attempt with 3.0.8 I did the following:
1. Downloaded and extracted ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.8.tar.gz
2. Reversed the logic on line 363 of src/modules/rlm_opendirectory/rlm_opendirectory.c: rad_getgid() is defined in lines 1419 to 1437 of src/main/util.c, and clearly returns 0 on success rather than error—this file appears to assume the reverse, and was leading to erroneous claims that the SACL did not exist.
I've pushed a fix for that.
3. ./configure --with-experimental-modules
4. Added "#define WITH_OPEN_DIRECTORY 1" to src/modules/rlm_mschap/config.h (there doesn't appear to be a configure option for it).
I've pushed a fix for that.
But I now see the following error:
(8) eap_mschapv2: Auth-Type MS-CHAP { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password (8) mschap: No NT-Password configured. Trying OpenDirectory Authentication (8) mschap: OD username_string = testuser, OD shortUserName=testuser (length = 8) rlm_mschap: authentication failed -14091
I've pushed a slight fix for that. It now prints a bit better name for the error.
(8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject
I don't know whether this is the same problem as that which I was previously experiencing under v2.2.0 (the error code is obviously different), but in any event this error is no more meaningful to me than before... so I'm just as stuck!
From looking around the net... the error seems to be that the passwords are not stored in clear-text. So OpenDirectory can't do MS-CHAP authentication. Honestly, the best approach is to use OpenDirectory as an LDAP server. Ignore the OpenDirectory API. Just let FreeRADIUS grab the password from LDAP, and then use that to authenticate. Alan DeKok.