LDAP problem - How to set attribute where the extracted user password will be stored to.
Hi, I use radius 2.0.0-beta When I make an LDAP search by radius it puts the extracted user password into the User-Password attribute. How to change this? I want to have it stored in the Cleartext-Password. I configured ldap module password_radius_attribute = "Cleartext-Password" but it didn't help. Thank You for any help regards tomasz
Tomasz Zieleniewski wrote:
I use radius 2.0.0-beta
Please upgrade to 2.0.1.
When I make an LDAP search by radius it puts the extracted user password into the User-Password attribute. How to change this?
Edit raddb/ldap.attrmap. Alan DeKok.
Greetings, In working to get my new radius server working I have run into a snag. I need to authenticate using a SQL database or system password file depending on where the request comes from, however the user may exist in both, with different passwords. How do I tell it to use the MySQL username/password pairs 'only' when it comes from a specific NAS? I have tried specifing the "Auth-Type := LOCAL" in my SQL reply tables, I have tried Autz-Type... I just don't seem to be able to get it working right. Debug output from last try is below. Currently I am not specifying a Auth-Type, but setting it to CHAP, PAP, or LOCAL doesn't work. Suggestions, pointers to documentation I may have missed, etc are gladly welcomed. ---begin DEBUG--- rad_recv: Access-Request packet from host 192.168.1.64 port 32780, id=20, length=59 User-Name = "azander" User-Password = "test321" NAS-IP-Address = 127.0.0.2 NAS-Port = 8 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "azander", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: %{Stripped-User-Name:-%{User-Name}} -> azander ++[files] returns noop expand: %{Stripped-User-Name} -> expand: %{User-Name} -> azander expand: %{%{Stripped-User-Name}:-%{User-Name}} -> azander rlm_sql (sql): sql_set_user escaped user --> 'azander' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'azander' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'azander' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'azander' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'azander' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'azander' ORDER BY priority rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'azander' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'staff' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'staff' ORDER BY id rlm_sql (sql): User found in group staff expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'staff' ORDER BY id rlm_sql_mysql: query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'staff' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "test321" rlm_pap: Using CRYPT encryption. rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CRYPT password check failed): [azander/test321] (from client flyer port 8) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> azander attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds
Hi,
In working to get my new radius server working I have run into a snag. I need to authenticate using a SQL database or system password file depending on where the request comes from, however the user may exist in both, with different passwords. How do I tell it to use the MySQL username/password pairs 'only' when it comes from a specific NAS?
many many ways - you could use huntgroups and Autz-Type, you could use virtual servers and proxy the request - if NAS is this or that then use this server definition.
Suggestions, pointers to documentation I may have missed, etc are gladly welcomed.
looks like you've told the server to do a Crypt-Password - and it doesnt match. how ARE you storing the passwords in the SQL? alan
On Wednesday 23 January 2008 13:33:24 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
In working to get my new radius server working I have run into a snag. I need to authenticate using a SQL database or system password file depending on where the request comes from, however the user may exist in both, with different passwords. How do I tell it to use the MySQL username/password pairs 'only' when it comes from a specific NAS?
many many ways - you could use huntgroups and Autz-Type, you could use virtual servers and proxy the request - if NAS is this or that then use this server definition.
Can you give me some examples, or documentation I could use to get this going. I tried Autz-Type but must have not understood it, or really messed ti up some how.
Suggestions, pointers to documentation I may have missed, etc are gladly welcomed.
looks like you've told the server to do a Crypt-Password - and it doesnt match. how ARE you storing the passwords in the SQL?
alan
Passwords in the SQL database are currently Cleartext-Password, due to some old NAS issues. Hopefully this round of updates will allow us to switch it to Crypt-Password, but as of this writing it isn't an option. Wm
Put devices that you want authenticated by the system passwords into a hungroup. Make an entry in a users file: DEFAULT Huntgroup-Name == whatever, Auth-Type := System When user logs in from one of those devices he will be forced into system authentication, all other requests will go the usual route - looking for passwords in the database. Ivan Kalik Kalik Informatika ISP Dana 23/1/2008, "William" <azander@netonecom.net> piše:
On Wednesday 23 January 2008 13:33:24 A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
In working to get my new radius server working I have run into a snag. I need to authenticate using a SQL database or system password file depending on where the request comes from, however the user may exist in both, with different passwords. How do I tell it to use the MySQL username/password pairs 'only' when it comes from a specific NAS?
many many ways - you could use huntgroups and Autz-Type, you could use virtual servers and proxy the request - if NAS is this or that then use this server definition.
Can you give me some examples, or documentation I could use to get this going. I tried Autz-Type but must have not understood it, or really messed ti up some how.
Suggestions, pointers to documentation I may have missed, etc are gladly welcomed.
looks like you've told the server to do a Crypt-Password - and it doesnt match. how ARE you storing the passwords in the SQL?
alan
Passwords in the SQL database are currently Cleartext-Password, due to some old NAS issues. Hopefully this round of updates will allow us to switch it to Crypt-Password, but as of this writing it isn't an option.
Wm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
William wrote:
Greetings, In working to get my new radius server working I have run into a snag. I need to authenticate using a SQL database or system password file
To be clear: databases do not perform authentication. Being confused about the functionality and operation of the system means that it's more difficult to come up with a simple solution. FreeRADIUS obtains passwords from databases. So your goal now is to figure out how to query the *correct* database for the users password.
depending on where the request comes from, however the user may exist in both, with different passwords. How do I tell it to use the MySQL username/password pairs 'only' when it comes from a specific NAS?
Put the NASes into groups. See "man rlm_passwd" for ways to create different groups. Key off of NAS-IP-Address. Then, have a policy saying "NAS group A uses SQL", and "NAS group B uses /etc/passwd".
I have tried specifing the "Auth-Type := LOCAL" in my SQL reply tables,
Don't. Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
tnt@kalik.co.yu -
Tomasz Zieleniewski -
William