are there any characters not allowed in a password used with LDAP "bind as user"?
Hi, For a couple of years I've been successfully using FreeRADIUS to authenticate some users against Active Directory using cleartext passwords, a Perl script to do some department checking, and a simple LDAP "bind as user". I've now got at least one user who fails authentication, and I'm wondering if the problem is a backslash in their password. The password is... w[)xg=\7k2 I can use the same username and password to successfully LDAP bind to AD using a tool like ldapsearch from my Linux based RADIUS server, but using RADIUS itself fails. If it helps here's the -X debug trace: Wed Oct 20 15:36:19 2010 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 172.16.80.3 port 20002, id=9, length=135 User-Name = "bill" Calling-Station-Id = "00-24-D7-40-8C-8C" Called-Station-Id = "00-0B-0E-DE-AB-80" NAS-Port = 52340 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 172.16.80.3 User-Password = "w[)xg=\\7k2" Wed Oct 20 15:39:10 2010 : Info: +- entering group authorize {...} Wed Oct 20 15:39:10 2010 : Info: ++[preprocess] returns ok Wed Oct 20 15:39:10 2010 : Info: [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/172.16.80.3/auth-detail-20101020 Wed Oct 20 15:39:10 2010 : Info: [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.16.80.3/auth-detail-20101020 Wed Oct 20 15:39:10 2010 : Info: [auth_log] expand: %t -> Wed Oct 20 15:39:10 2010 Wed Oct 20 15:39:10 2010 : Info: ++[auth_log] returns ok Wed Oct 20 15:39:10 2010 : Info: [ldap] performing user authorization for bill Wed Oct 20 15:39:10 2010 : Info: [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Wed Oct 20 15:39:10 2010 : Info: [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -> (sAMAccountName=bill) Wed Oct 20 15:39:10 2010 : Info: [ldap] expand: dc=fed,dc=foo,dc=ac,dc=uk -> dc=fed,dc=foo,dc=ac,dc=uk Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: attempting LDAP reconnection Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: (re)connect to logonserv.fed.foo.ac.uk:389, authentication 0 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: bind as / to logonserv.fed.foo.ac.uk:389 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: Bind was successful Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: performing search in dc=fed,dc=foo,dc=ac,dc=uk, with filter (sAMAccountName=bill) Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for check items in directory... Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for reply items in directory... Wed Oct 20 15:39:10 2010 : Debug: WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Wed Oct 20 15:39:10 2010 : Info: [ldap] Setting Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Info: [ldap] user bill authorized to use remote access Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Oct 20 15:39:10 2010 : Info: ++[ldap] returns ok Wed Oct 20 15:39:10 2010 : Info: ++[expiration] returns noop Wed Oct 20 15:39:10 2010 : Info: ++[logintime] returns noop Wed Oct 20 15:39:10 2010 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Oct 20 15:39:10 2010 : Info: ++[pap] returns noop Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP) Wed Oct 20 15:39:10 2010 : Info: ? Evaluating (control:Auth-Type == LDAP) -> TRUE Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP) -> TRUE Wed Oct 20 15:39:10 2010 : Info: ++- entering if (control:Auth-Type == LDAP) {...} Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Called-Station-Id = 00-0B-0E-DE-AB-80 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Calling-Station-Id = 00-24-D7-40-8C-8C Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Name = bill Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Identifier = Trapeze Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Password = w[)xg=\\7k2 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port = 52340 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-IP-Address = 172.16.80.3 Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Ldap-UserDn = CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk Wed Oct 20 15:39:10 2010 : Info: +++[perl] returns noop Wed Oct 20 15:39:10 2010 : Info: ++- if (control:Auth-Type == LDAP) returns noop Wed Oct 20 15:39:10 2010 : Info: Found Auth-Type = LDAP Wed Oct 20 15:39:10 2010 : Info: +- entering group LDAP {...} Wed Oct 20 15:39:10 2010 : Info: [ldap] login attempt by "bill" with password "w[)xg=\\7k2" Wed Oct 20 15:39:10 2010 : Info: [ldap] user DN: CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: (re)connect to logonserv.fed.foo.ac.uk:389, authentication 1 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: bind as CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk/w[)xg=\\7k2 to logonserv.fed.foo.ac.uk:389 Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: waiting for bind result ... Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: Bind failed with invalid credentials Wed Oct 20 15:39:10 2010 : Info: ++[ldap] returns reject Wed Oct 20 15:39:10 2010 : Info: Failed to authenticate the user. Wed Oct 20 15:39:10 2010 : Auth: Login incorrect (rlm_ldap: Bind as user failed): [bill] (from client wireless-2 port 52340 cli 00-24-D7-40-8C-8C) Wed Oct 20 15:39:10 2010 : Info: Using Post-Auth-Type Reject I don't know whether the problem lies with me (for allowing a backslash in the password in the first place) the NAS for appearing to 'escape' the backslash (with a backslash) or the way I've configured FreeRADIUS. Can anyone give me any pointers? Thanks in advance of any advice, Cheers, Mark. -- Scanned by iCritical.
On 10/21/2010 08:52 PM, mark.leese@stfc.ac.uk wrote:
I don't know whether the problem lies with me (for allowing a backslash in the password in the first place) the NAS for appearing to 'escape' the backslash (with a backslash)
rlm_ldap accesses the raw string value of the request->password AVP, so it shouldn't be anything inside FreeRadius. What is the NAS?
On 10/21/2010 10:27 PM, Phil Mayers wrote:
On 10/21/2010 08:52 PM, mark.leese@stfc.ac.uk wrote:
I don't know whether the problem lies with me (for allowing a backslash in the password in the first place) the NAS for appearing to 'escape' the backslash (with a backslash)
rlm_ldap accesses the raw string value of the request->password AVP, so it shouldn't be anything inside FreeRadius.
What is the NAS?
Hmm. I've just tried this locally and I don't seem to get the same results as you; I see the backslash doubled in the initial FreeRadius dump (as expected - FreeRadius writes the debug output as you would write config files): rad_recv: Access-Request packet from host 127.0.0.1 port 53973, id=123, length=44 User-Name = "pjm3" User-Password = "foo\\bar" ...and I then see: [ldap] login attempt by "pjm3" with password "foo\bar" [ldap] user DN: CN=pjm3,... [ldap] (re)connect to icads1.ic.ac.uk:389, authentication 1 [ldap] bind as CN=pjm3,.../foo\bar to icads1.ic.ac.uk:389 [ldap] waiting for bind result ... ...note the backslash just appears singly here; the rlm_ldap debugging output code writes the raw value out. You however have two backslashes by this point, so it must be your rlm_perl module. Can you prevent the perl module touching the User-Password attribute, and see if that helps?
-----Original Message----- From: freeradius-users- bounces+mark.leese=stfc.ac.uk@lists.freeradius.org [mailto:freeradius- users-bounces+mark.leese=stfc.ac.uk@lists.freeradius.org] On Behalf Of Phil Mayers Sent: 21 October 2010 22:44 To: freeradius-users@lists.freeradius.org Subject: Re: are there any characters not allowed in a password used withLDAP "bind as user"?
On 10/21/2010 10:27 PM, Phil Mayers wrote:
On 10/21/2010 08:52 PM, mark.leese@stfc.ac.uk wrote:
I don't know whether the problem lies with me (for allowing a
backslash
in the password in the first place) the NAS for appearing to 'escape' the backslash (with a backslash)
rlm_ldap accesses the raw string value of the request->password AVP, so it shouldn't be anything inside FreeRadius.
What is the NAS?
Hmm. I've just tried this locally and I don't seem to get the same results as you; I see the backslash doubled in the initial FreeRadius dump (as expected - FreeRadius writes the debug output as you would write config files):
rad_recv: Access-Request packet from host 127.0.0.1 port 53973, id=123, length=44 User-Name = "pjm3" User-Password = "foo\\bar"
...and I then see:
[ldap] login attempt by "pjm3" with password "foo\bar" [ldap] user DN: CN=pjm3,... [ldap] (re)connect to icads1.ic.ac.uk:389, authentication 1 [ldap] bind as CN=pjm3,.../foo\bar to icads1.ic.ac.uk:389 [ldap] waiting for bind result ...
...note the backslash just appears singly here; the rlm_ldap debugging output code writes the raw value out. You however have two backslashes by this point, so it must be your rlm_perl module. Can you prevent the perl module touching the User-Password attribute, and see if that helps? -
Hi Phil, The NAS is Trapeze wireless kit. The username and password come from an SSL encrypted captive portal web page. I'm running freeradius-2.1.3-1 on Linux. It's really interesting that you get different debug output to me. The Perl script doesn't do anything with the User-Password attribute, and I've updated it so that it doesn't even take the hash of Access-Request RADIUS attributes - the top of the Perl script now reads... use vars qw(%RAD_REPLY %RAD_CHECK); ...i.e. %RAD_REQUEST isn't included. Unfortunately, I still get the same debug output, with two backslashes appearing in all references to the password. Is there a way to test this with radtest or radclient, and I could try on a development box without even using the Perl script? Unfortunately, whatever option I've tried with radtest and radclient so far has resulted in two backslashes appearing in the password or none. For example, none of these produce the required result... radtest bill 'w[)xg=\k2' 127.0.0.1 10 s£cret radtest bill 'w[)xg=\\k2' 127.0.0.1 10 s£cret radtest bill "w[)xg=\k2" 127.0.0.1 10 s£cret radtest bill "w[)xg=\\k2" 127.0.0.1 10 s£cret radtest bill w\[\)xg=\\k2 127.0.0.1 10 s£cret etc. Cheers, Mark. -- Scanned by iCritical.
participants (2)
-
mark.leese@stfc.ac.uk -
Phil Mayers