I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = "{clear}" and without it. b --- On Tue, 2/23/10, Fajar A. Nugraha <fajar@fajar.net> wrote: From: Fajar A. Nugraha <fajar@fajar.net> Subject: Re: rlm-ldap error for chap To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, February 23, 2010, 6:47 AM On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric <eric121233@yahoo.com> wrote:
Hi I
want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap
rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
is the cleartext password there?
ldap ldap-Vpn{ .... password_attribute = userPassword password_header = "{clear}"
}
does the cleartext password have a header? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Excuse me my reply was incomplete and sent with error. I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = "{clear}" and without it. but error is the same as before. --- On Tue, 2/23/10, Eric Eric <eric121233@yahoo.com> wrote: From: Eric Eric <eric121233@yahoo.com> Subject: rlm-ldap error for chap To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, February 23, 2010, 10:31 AM I changed Cleartext-Password in ldap.attrmap to User-Password and now: rlm_ldap: LDAP userPassword mapped to RADIUS User-Password and checked with password_header = "{clear}" and without it. b --- On Tue, 2/23/10, Fajar A. Nugraha <fajar@fajar.net> wrote: From: Fajar A. Nugraha <fajar@fajar.net> Subject: Re: rlm-ldap error for chap To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Tuesday, February 23, 2010, 6:47 AM On Tue, Feb 23, 2010 at 1:32 PM, Eric Eric <eric121233@yahoo.com> wrote:
Hi I
want to change authentication pap to chap. The users with clear passwords are in ldap server. but the is error with clear password in rlm-ldap
rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password
is the cleartext password there?
ldap ldap-Vpn{ .... password_attribute = userPassword password_header = "{clear}"
}
does the cleartext password have a header? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -----Inline Attachment Follows----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/23/2010 05:31 AM, Eric Eric wrote:
I changed Cleartext-Password in ldap.attrmap to User-Password
Don't do that, that's got nothing to do with finding the user's password in your directory. It's the password_attribute in your ldap config which controls how to find the users password in your directory. But first you must find the user in your directory, which is controlled by the basedn and filter ldap config items. What are they set to and what does ldapsearch return when you pass ldapsearch the same basedn and filter? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Excuse me for replicated emails. I'm using old version of freeradius 1.1.3! When I tried to upgrade I had a problem and it is still in old version. this is the result of search in ldap server: dn: uid=test ,ou=example,... uid: test givenName: test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: eduperson objectClass: radiusobjectprofile objectClass: radiusprofile sn: test cn: test test userPassword: 123456 vpnProfileDn:... ... --- On Tue, 2/23/10, John Dennis <jdennis@redhat.com> wrote: From: John Dennis <jdennis@redhat.com> Subject: Re: rlm-ldap error for chap To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Cc: "Eric Eric" <eric121233@yahoo.com> Date: Tuesday, February 23, 2010, 3:46 PM On 02/23/2010 05:31 AM, Eric Eric wrote:
I changed Cleartext-Password in ldap.attrmap to User-Password
Don't do that, that's got nothing to do with finding the user's password in your directory. It's the password_attribute in your ldap config which controls how to find the users password in your directory. But first you must find the user in your directory, which is controlled by the basedn and filter ldap config items. What are they set to and what does ldapsearch return when you pass ldapsearch the same basedn and filter? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
I owe you an apology, I said not to edit /etc/raddb/ldap.attrmap, but you do. I always forget that the clear text password mapping is not in ldap.attrmap by default, I assume that because of the inherent security risks. By forcing you to add it you'll be forcefully aware of what you've done. Here's the issue, you don't want unprivileged user's from reading someones password from the directory. It's vital you protect the clear text password with some type of access control in your ldap server. How you do that depends on the particular ldap server you're using. You might consider using precomputed hashes such as LT and NT. That would mitigate the exposure of a clear text password, but hashes should be protected as well by access control. Now to make matters a touch bit more complicated FreeRADIUS changed how it accessed the clear text password in its set of attributes. In older versions of FreeRADIUS it was known as User-Password, but that produced an unfortunate ambiguity and it was later modified to be Cleartext-Password, I'm sorry but I don't remember the version this was modified in. For old versions of FreeRADIUS you'll need this in ldap.attrmap checkItem User-Password userPassword For modern versions of FreeRADIUS you'll need this in ldap.attrmap checkItem Cleartext-Password userPassword If you're still having problems then please follow-up with the full contents of your config file (not snippets) and the output of radiusd -X. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hi,
Now to make matters a touch bit more complicated FreeRADIUS changed how it accessed the clear text password in its set of attributes. In older versions of FreeRADIUS it was known as User-Password, but that produced an unfortunate ambiguity and it was later modified to be Cleartext-Password, I'm sorry but I don't remember the version this was modified in.
version 1.1.4 brought this into play. alan
participants (3)
-
Alan Buxey -
Eric Eric -
John Dennis