Am 17.12.2013 17:06, schrieb Arran Cudbard-Bell:
On 17 Dec 2013, at 14:38, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 17.12.2013 13:38, Hubert Kupper wrote:
Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell: rlm_ldap (ldap): Reserved connection (0) (1) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=foo)' (1) ldap : expand: "o=org" -> 'o=org' (1) ldap : Performing search in 'o=org' with filter '(cn=foo)' (1) ldap : Waiting for search result... (1) ldap : User object found at DN "cn=foo,ou=test,o=org" (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other (e.g., implementation specific) error rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): Opening additional connection (1) rlm_ldap (ldap): Connecting to 192.168.1.35:389 389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS Password retrieval over a non secure channel
Try using a ldaps connection ! Or enable start TLS.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team Bingo. You are right. When I use ldaps the ldap bind was successful now. With FR 2.x on OpenSuse 12.3 ldap and ldaps work both. By the way now I get the following error:
server inner-tunnel { (9) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) [chap] = noop (9) [mschap] = noop (9) suffix : No '@' in User-Name = "dumm", looking up realm NULL (9) suffix : Found realm "NULL" (9) suffix : Adding Stripped-User-Name = "dumm" (9) suffix : Adding Realm = "NULL" (9) suffix : Authentication realm is LOCAL (9) [suffix] = ok (9) update control { (9) Proxy-To-Realm := 'LOCAL' (9) } # update control = noop (9) eap : EAP packet type response id 11 length 63 (9) eap : No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) [files] = noop rlm_ldap (ldap): Reserved connection (2) (9) ldap : expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> '(cn=dumm)' (9) ldap : expand: "o=org" -> 'o=org' (9) ldap : Performing search in 'o=org' with filter '(cn=dumm)' (9) ldap : Waiting for search result... (9) ldap : User object found at DN "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Added eDirectory password in check items as Cleartext-Password = pwddummy (9) ldap : Binding as user for eDirectory authorization checks (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Bind as user "cn=Dumm,ou=test1,ou=test,o=org" was successful rlm_ldap (ldap): Released connection (2) (9) [ldap] = ok (9) [expiration] = noop (9) [logintime] = noop (9) WARNING: pap : Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = EAP (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap : Expiring EAP session with state 0xa4e4c03ea4efda08 (9) eap : Finished EAP session with state 0xa4e4c03ea4efda08 (9) eap : Previous EAP request found for state 0xa4e4c03ea4efda08, released from the list (9) eap : Peer sent MSCHAPv2 (26) (9) eap : EAP MSCHAPv2 (26) (9) eap : Calling eap_mschapv2 to process EAP data (9) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2 : Auth-Type MS-CHAP { (9) mschap : Creating challenge hash with username: dumm (9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password (9) mschap : FAILED: MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # Auth-Type MS-CHAP = reject (9) eap : Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) ldap : expand: "." -> '.' (9) ldap : expand: "Authenticated at %S" -> 'Authenticated at 2013-12-18 09:16:37' rlm_ldap (ldap): Reserved connection (2) (9) ldap : Using user DN from request "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Waiting for bind result... (9) ldap : Bind successful (9) ldap : Modifying object with DN "cn=Dumm,ou=test1,ou=test,o=org" (9) ldap : Waiting for modify result... rlm_ldap (ldap): Released connection (2) (9) [ldap] = reject (9) } # Post-Auth-Type REJECT = reject } # server inner-tunnel (9) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\013E=691 R=1' EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\013E=691 R=1' EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_peap : Tunneled authentication was rejected (9) eap_peap : FAILURE (9) eap : New EAP session, adding 'State' attribute to reply 0x4c9dbfee4591a60a (9) [eap] = handled (9) } # authenticate = handled Sending Access-Challenge of id 121 from 139.14.1.56 port 1812 to 139.14.200.6 port 32770 EAP-Message = 0x010c002b1900170301002042ce42556a179e73d4a55cd52bbf954cb5b0bce96996e4442f472d1e5257185a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4c9dbfee4591a60a5d313de2c42289f5 (9) Finished request 9. (10) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed Hubert