Hi all, I've research & googling about LDAP and CHAP :D, but until now still don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 : rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30, length=48 User-Name = "testing" CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f ------------cut--------------. rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by dialupAccess rlm_ldap: Password header not found in password Testing1 for user testing -----------cut--------------- * as you can see the radius module rlm_ldap can "see" the password for user testing, here the next one rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '/' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "IPASS" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "testing" with CHAP password rlm_chap: Could not find clear text password for user testing modcall[authenticate]: module "chap" returns invalid for request 0 modcall: leaving group CHAP (returns invalid) for request 0 auth: Failed to validate the user. ----------------cut------------- *this is classic problem, but until now there wasn't any straight answer for this one based on the faq on http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3..., it is possible for using chap with ldap backend, also there is clue where parameter like password_header = "{clear}" password_attribute = userPassword password_radius_attribute = "User-Password" must be set.... but how? i'm still trying to read the code ( like rlm_chap.c ) to see what attribut does rlm_chap read for the password that was passed by the module ldap. but it is so arcane and "debuging code twice hard as writing the code at first place" anyone has solution for this matter? -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
Ryan Setiawan H wrote:
I've research & googling about LDAP and CHAP :D, but until now still don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 :
If the LDAP server gives FreeRADIUS the clear-text password, then CHAP should work.
rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30, length=48 User-Name = "testing" CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f ------------cut--------------. rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by dialupAccess rlm_ldap: Password header not found in password Testing1 for user testing
And does CHAP work for this user?
-----------cut--------------- * as you can see the radius module rlm_ldap can "see" the password for user testing, here the next one
Next one... what? Next request? Next user?
based on the faq on http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3...,
it is possible for using chap with ldap backend,
Yes. It is also likely that it's much easier on 2.0.5.
also there is clue where parameter like password_header = "{clear}" password_attribute = userPassword password_radius_attribute = "User-Password" must be set.... but how?
in the "ldap" section of radiusd.conf, where the LDAP parameters are configured.
i'm still trying to read the code ( like rlm_chap.c ) to see what attribut does rlm_chap read for the password that was passed by the module ldap. but it is so arcane and "debuging code twice hard as writing the code at first place"
Don't read the code. It won't help you.
anyone has solution for this matter?
Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. Alan DeKok.
participants (2)
-
Alan DeKok -
Ryan Setiawan H