Problem with freeradius and LDAP: crypt and MD5 password
Hello! Sorry for my english. I'm working with freeradius FreeRADIUS Version 2.1.12 Sorry to ask again about this, I have been looking for the solution, but I can't resolve my problem. I have a LDAP server with users password in crypt for PDI and PAS and in MD5 for students. The password in LDAP for an user is only available when you do bind with that user. I can see here that you can get the authentication result from the bind result http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+... ¿Is this function available in freeradius 2.1.12? Meanwhile I try to do bind whit my user (PAS - crypt password in userPassword attribute in LDAP) and authenticate whith a clear text password, but I can't auth... My config: # cat /etc/freeradius/sites-enabled/rinuex_email server rinuex_email { authorize { suffix files ldapemail pap } authenticate { Auth-Type PAP { pap } } post-auth { sql_log Post-Auth-Type REJECT { sql_log } } } # cat /etc/freeradius/modules-enabled/ldap ldap ldapemail { server = "ldap.unex.es" identity = "uid=aigallardo,ou=people,dc=unex,dc=es" password = "XXXX" basedn = "ou=people,dc=unex,dc=es" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" password_attribute = userPassword ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } # dictionary_mapping = ${confdir}/ldap.attrmap.email edir_account_policy_check = no set_auth_type = yes } My log: rad_recv: Access-Request packet from host 158.49.245.14 port 50406, id=16, length=62 User-Name = "aigallardo@unex.es" Vendor-Specific = 0x00000000020a3035303837372b2b NAS-IP-Address = 158.49.245.14 Fri Apr 10 11:37:38 2015 : Info: server rinuex_email { Fri Apr 10 11:37:38 2015 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/rinuex_email Fri Apr 10 11:37:38 2015 : Info: +- entering group authorize {...} Fri Apr 10 11:37:38 2015 : Info: [suffix] Looking up realm "unex.es" for User-Name = "aigallardo@unex.es" Fri Apr 10 11:37:38 2015 : Info: [suffix] Found realm "unex.es" Fri Apr 10 11:37:38 2015 : Info: [suffix] Adding Stripped-User-Name = "aigallardo" Fri Apr 10 11:37:38 2015 : Info: [suffix] Adding Realm = "unex.es" Fri Apr 10 11:37:38 2015 : Info: [suffix] Authentication realm is LOCAL. Fri Apr 10 11:37:38 2015 : Info: ++[suffix] returns ok Fri Apr 10 11:37:38 2015 : Info: [files] users: Matched entry DEFAULT at line 42 Fri Apr 10 11:37:38 2015 : Info: ++[files] returns ok Fri Apr 10 11:37:38 2015 : Info: [ldapemail] performing user authorization for aigallardo Fri Apr 10 11:37:38 2015 : Info: [ldapemail] expand: %{Stripped-User-Name} -> aigallardo Fri Apr 10 11:37:38 2015 : Info: [ldapemail] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo) Fri Apr 10 11:37:38 2015 : Info: [ldapemail] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] ldap_get_conn: Checking Id: 0 Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] ldap_get_conn: Got Id: 0 Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] attempting LDAP reconnection Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] (re)connect to ldap.unex.es:389, authentication 0 Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] bind as uid=aigallardo,ou=people,dc=unex,dc=es/XXXX to ldap.unex.es:389 Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] waiting for bind result ... Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] Bind was successful Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) Fri Apr 10 11:37:38 2015 : Info: [ldapemail] Added User-Password = {crypt}XXXXXXXXXXXX in check items Fri Apr 10 11:37:38 2015 : Info: [ldapemail] No default NMAS login sequence Fri Apr 10 11:37:38 2015 : Info: [ldapemail] looking for check items in directory... Fri Apr 10 11:37:38 2015 : Info: [ldapemail] looking for reply items in directory... Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] sn -> Nombre-Completo = "gallardo gomez" Fri Apr 10 11:37:38 2015 : Info: [ldapemail] user aigallardo authorized to use remote access Fri Apr 10 11:37:38 2015 : Debug: [ldapemail] ldap_release_conn: Release Id: 0 Fri Apr 10 11:37:38 2015 : Info: ++[ldapemail] returns ok Fri Apr 10 11:37:38 2015 : Info: [pap] No clear-text password in the request. Not performing PAP. Fri Apr 10 11:37:38 2015 : Info: ++[pap] returns noop Fri Apr 10 11:37:38 2015 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Fri Apr 10 11:37:38 2015 : Info: !!! Replacing User-Password in config items with Cleartext-Password. !!! Fri Apr 10 11:37:38 2015 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Fri Apr 10 11:37:38 2015 : Info: !!! Please update your configuration so that the "known good" !!! Fri Apr 10 11:37:38 2015 : Info: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Fri Apr 10 11:37:38 2015 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Fri Apr 10 11:37:38 2015 : Info: WARNING: Please update your configuration, and remove 'Auth-Type = Local' Fri Apr 10 11:37:38 2015 : Info: WARNING: Use the PAP or CHAP modules instead. Fri Apr 10 11:37:38 2015 : Info: No User-Password or CHAP-Password attribute in the request. Fri Apr 10 11:37:38 2015 : Info: Cannot perform authentication. Fri Apr 10 11:37:38 2015 : Info: Failed to authenticate the user. Fri Apr 10 11:37:38 2015 : Info: } # server rinuex_email Fri Apr 10 11:37:38 2015 : Info: Using Post-Auth-Type Reject I would like to auth my users with clear-text passwords and with EAP (TTLS+PAP). What do you think that is the best option in my case? Thank you very much in advance. -- :::::::::::::::::::::::::::::::::::: :: Ana Gallardo Gómez :: ::::::::::::::::::::::::::::::::::::
On Apr 10, 2015, at 6:37 AM, Ana Gallardo Gómez <anaougu@gmail.com> wrote:
rad_recv: Access-Request packet from host 158.49.245.14 port 50406, id=16, length=62 User-Name = "aigallardo@unex.es" Vendor-Specific = 0x00000000020a3035303837372b2b NAS-IP-Address = 158.49.245.14
There's no User-Password in the packet. The server CANNOT use password authentication.
I would like to auth my users with clear-text passwords and with EAP (TTLS+PAP).
What do you think that is the best option in my case?
http://deployingradius.com/ I have a complete EAP guide. Follow it. It will work. Alan DeKok.
Alan, There's no User-Password in the packet. The server CANNOT use password
authentication.
I'm so sorry, I didn't realize it was missing this data... One more cuestion, in freeradius 2.1.12, can I get the authentication result from the bind result? <http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+source> Thank you very much :D :::::::::::::::::::::::::::::::::::: :: Ana Gallardo Gómez :: ::::::::::::::::::::::::::::::::::::
One more cuestion, in freeradius 2.1.12, can I get the authentication result from the bind result?
What do you mean by 'can I get the authentication result'? If you can bind successfully to the LDAP directory with the username and password, then that's success. With FreeRADIUS 3.x, it's a *lot* simpler to use LDAP bind-as-user than with 2.1.12, and the article you referenced refers to FR 3.x. Look at your inner-tunnel file (in sites-enabled): - What have you got in the 'authorize' section? You should place something like this in it (after the pap entry): if (User-Password) { update control { Auth-Type := ldap Ldap-UserDN := "uid=%{User-Name},ou=people,dc=unex,dc=es" } } - What have you got in the 'authenticate' section? Do you have something called 'Auth-Type PAP' there? In that entry you have a single line: 'pap'. Comment it out, then put 'ldap' in its place. You should also have a set of commented-out entries like so: # Auth-Type LDAP { # ldap # } Remove the comment from the line that says 'ldap'. Then, in the eap.conf file, look for the first 'default_eap_type' line. It may be set to 'md5'. Set that to 'ttls'. That sets the default type of EAP to TTLS. Then scroll down to find a line that starts with 'ttls {' (should be around line 500). There's another 'default_eap_type' there. That is probably also set to 'md5'. You can set that to 'gtc', which gives you EAP-GTC, which in turn gives you PAP. Now, to test this, try the following on the FreeRADIUS server itself (while it is running in debug mode, i.e. 'radiusd -X'): radtest -t pap aigallardo your_password 127.0.0.1:18120 1 testing123 You *should* see it bind correctly... If it binds correctly, then use eapol_test (see http://deployingradius.com/scripts/eapol_test/) to test the full end-to-end system. If it does not bind correctly, post the *full* debug output so we can have a look. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
¡Hello! sorry for responding so late. Now I have my freeradius server with v3 and I can authenticate: - binding as administrative user and getting the password to freeradius - the result of the auth is teh result of the bind Thank you very much :D :::::::::::::::::::::::::::::::::::: :: Ana Gallardo Gómez :: ::::::::::::::::::::::::::::::::::::
participants (3)
-
Alan DeKok -
Ana Gallardo Gómez -
Stefan Paetow