rlm_ldap: Attribute "User-Password" is required for authentication
Hi all, Currently I need to use ldap to authenticate my users and I keep encountering the same problem "rlm_ldap: Attribute "User-Password" is required for authentication". I have tried adding "checkItem User-Password userPassword" into ldap.attrmap but it still doesn't work. Anyone have any ideas how I can enable radius to authenticate thru ldap? rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. cheers, melvin
"melvin" <melvin.wong@muvee.com> wrote:
Currently I need to use ldap to authenticate my users and I keep encountering the same problem "rlm_ldap: Attribute "User-Password" is required for authentication".
Read the rest of the debug log. You have told the LDAP module to perform authentication.
I have tried adding "checkItem User-Password userPassword" into ldap.attrmap but it still doesn't work.
Because the LDAP module is trying to use the password in the RADIUS packet to log into the LDAP server. Don't set "Auth-Type = LDAP" Alan DeKok.
Hi, Sorry as I am not an expert in radius but if I do not set "Auth-Type = LDAP" how do I ensure that the authentication goes thru ldap. All the users have their passwords stored in ldap and therefore I hope to utilise the ldap to do the authentication. Is there a solution for this? Does anyone have a detailed guide in setting up radius with ldap and peap? Appreciate if someone could help me. Tks. cheers, melvin ----- Original Message ----- From: "Alan DeKok" <aland@ox.org> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Thursday, July 14, 2005 1:06 AM Subject: Re: rlm_ldap: Attribute "User-Password" is required forauthentication
"melvin" <melvin.wong@muvee.com> wrote:
Currently I need to use ldap to authenticate my users and I keep encountering the same problem "rlm_ldap: Attribute "User-Password" is required for authentication".
Read the rest of the debug log. You have told the LDAP module to perform authentication.
I have tried adding "checkItem User-Password userPassword" into ldap.attrmap but it still doesn't work.
Because the LDAP module is trying to use the password in the RADIUS packet to log into the LDAP server.
Don't set "Auth-Type = LDAP"
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"melvin" <melvin.wong@muvee.com> wrote:
Sorry as I am not an expert in radius but if I do not set "Auth-Type = LDAP" how do I ensure that the authentication goes thru ldap.
LDAP is an authentication server? That's news to me.
All the users have their passwords stored in ldap and therefore I hope to utilise the ldap to do the authentication.
LDAP is a database. Let FreeRADIUS read the passwords from LDAP, and have FreeRADIUS do the authentication. FreeRADIUS is an authentication server. LDAP is not. Alan DeKok.
"melvin" <melvin.wong@muvee.com> wrote:
Sorry as I am not an expert in radius but if I do not set "Auth-Type = LDAP" how do I ensure that the authentication goes thru ldap.
LDAP is an authentication server? That's news to me.
All the users have their passwords stored in ldap and therefore I hope to utilise the ldap to do the authentication.
LDAP is a database. Let FreeRADIUS read the passwords from LDAP, and have FreeRADIUS do the authentication.
FreeRADIUS is an authentication server. LDAP is not.
Hi Alan, Melvin, LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP. I have successfully integrated FreeRadius & LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
"Kris Benson" <kbenson@sd57.bc.ca> wrote:
Hi Alan, Melvin,
LDAP does provide some authentication -- through the 'BIND' statement.
Yes, I know that. But it's a hack, and it only works if the request contains a User-Password. Since many requests don't contain a User-Password, people who configure LDAP for authentication get confused when LDAP "authentication" fails for MSCHAP. The solution is to NOT use LDAP as an authentication server. Alan DeKok.
Hi Kris, Thanks for your reply. I will be very grateful if you could post your config entries to me. Many tks. cheers, melvin ----- Original Message ----- From: "Kris Benson" <kbenson@sd57.bc.ca> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Friday, July 22, 2005 11:24 PM Subject: Re: rlm_ldap: Attribute "User-Password" is required forauthentication
"melvin" <melvin.wong@muvee.com> wrote:
Sorry as I am not an expert in radius but if I do not set "Auth-Type = LDAP" how do I ensure that the authentication goes thru ldap.
LDAP is an authentication server? That's news to me.
All the users have their passwords stored in ldap and therefore I hope to utilise the ldap to do the authentication.
LDAP is a database. Let FreeRADIUS read the passwords from LDAP, and have FreeRADIUS do the authentication.
FreeRADIUS is an authentication server. LDAP is not.
Hi Alan, Melvin,
LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP.
I have successfully integrated FreeRadius & LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box.
-kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
melvin wrote:
LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP.
I have successfully integrated FreeRadius & LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box.
I have a write-up on FreeRADIUS and LDAP. It should apply to most configurations http://vuksan.com/linux/dot1x/802-1x-LDAP.html
Hi Vladimir, I've followed your write-up on FreeRADIUS and LDAP and configured my Windows clients to use TTLS+PAP but I still get the same error as below: rad_recv: Access-Request packet from host 192.168.84.11:2048, id=0, length=125 User-Name = "melvin" NAS-IP-Address = 192.168.84.11 Called-Station-Id = "000f66005feb" Calling-Station-Id = "0012f075e7b3" NAS-Identifier = "000f66005feb" NAS-Port = 33 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d656c76696e Message-Authenticator = 0x1cbf370b745f6863e6478bfed57edd74 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "melvin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Any ideas where I might go wrong? cheers, melvin ----- Original Message ----- From: "Vladimir Vuksan" <vlists@veus.hr> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 26, 2005 10:33 PM Subject: Re: rlm_ldap: Attribute "User-Password" isrequired forauthentication
melvin wrote:
LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP.
I have successfully integrated FreeRadius & LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box.
I have a write-up on FreeRADIUS and LDAP. It should apply to most configurations
http://vuksan.com/linux/dot1x/802-1x-LDAP.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
melvin wrote:
rad_recv: Access-Request packet from host 192.168.84.11:2048, id=0, length=125 User-Name = "melvin" NAS-IP-Address = 192.168.84.11 Called-Station-Id = "000f66005feb" Calling-Station-Id = "0012f075e7b3" NAS-Identifier = "000f66005feb" NAS-Port = 33 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d656c76696e Message-Authenticator = 0x1cbf370b745f6863e6478bfed57edd74 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "melvin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user.
Any ideas where I might go wrong?
You are setting the default Auth-Type to LDAP which is screwing things up. Try removing that entry out the users file.
Hi Vladimir, Tks for your help, I've managed to setup the ldap with freeradius. One last question is that is it possible to have freeradius authenticate thru ldap and also the users file. The reason is because I need to create a guest account for guests to login our wireless network. But the guest may not allow me to install SecureW2 on their notebook, so I am hoping I can setup a common password for guest inside users file. Or is there an easier way to accomplish this? Appreciate if you can help me again. Thank you. cheers, melvin ----- Original Message ----- From: "melvin" <melvin.wong@muvee.com> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, July 27, 2005 6:35 PM Subject: Re: rlm_ldap: Attribute "User-Password" isrequired forauthentication
Hi Vladimir,
I've followed your write-up on FreeRADIUS and LDAP and configured my Windows clients to use TTLS+PAP but I still get the same error as below:
rad_recv: Access-Request packet from host 192.168.84.11:2048, id=0, length=125 User-Name = "melvin" NAS-IP-Address = 192.168.84.11 Called-Station-Id = "000f66005feb" Calling-Station-Id = "0012f075e7b3" NAS-Identifier = "000f66005feb" NAS-Port = 33 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d656c76696e Message-Authenticator = 0x1cbf370b745f6863e6478bfed57edd74 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "melvin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user.
Any ideas where I might go wrong?
cheers, melvin
----- Original Message ----- From: "Vladimir Vuksan" <vlists@veus.hr> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, July 26, 2005 10:33 PM Subject: Re: rlm_ldap: Attribute "User-Password" isrequired forauthentication
melvin wrote:
LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP.
I have successfully integrated FreeRadius & LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box.
I have a write-up on FreeRADIUS and LDAP. It should apply to most configurations
http://vuksan.com/linux/dot1x/802-1x-LDAP.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius users mailing list <freeradius-users@lists.freeradius.org> on August 9, 2005 at 02:53 -0800 wrote:
Hi Vladimir,
Tks for your help, I've managed to setup the ldap with freeradius. One last question is that is it possible to have freeradius authenticate thru ldap and also the users file. The reason is because I need to create a guest account for guests to login our wireless network. But the guest may not allow me to install SecureW2 on their notebook, so I am hoping I can setup a common password for guest inside users file. Or is there an easier way to accomplish this? Appreciate if you can help me again. Thank you.
You've hit the nail on the head. Your users file will just need an entry for the guest user... they may need to install SecureW2 anyways, if you're using TTLS as the EAP method... though PEAP should work as long as the password you put in the users file is plaintext. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
"melvin" <melvin.wong@muvee.com> on July 24, 2005 at 02:47 -0800 wrote:
Hi Kris, Thanks for your reply. I will be very grateful if you could post your config entries to me. Many tks.
Hi Melvin, Please see attached. I have included the certs, passwords, etc. as they are currently "testing only" ones -- and may help you get things going. The user passwords are one of two: "whatever" or "testing123" depending on whether we needed to use a different one somewhere during our testing. :-) Let me know if you have any other questions. Cheers, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George)
participants (4)
-
Alan DeKok -
Kris Benson -
melvin -
Vladimir Vuksan