FreeRADIUS 3.0.x and user authentification against Novell eDirectory without Universal Password
Hi, I am upgrading FreeRADIUS server from 2.2.5 (Debian 8) to 3.0.17 (Centos 8). I use LDAP user authentication against Novell eDirectory, where authentication works in two steps: 1. anonymous searching user in LDAP, 2. binding to LDAP as user with cleartext password, if it is successfull, the authentication&authorization is successfull. It is done by configuration option "edir_account_policy_check=yes" In new FreeRADIUS I have to use options "edir=yes" & "edir_autz=yes", but Universal Password is required before the step 2. and it fails: Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Performing search in "o=xxx" with filter "(uid=xxx)", scope "sub" Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Waiting for search result... Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: User object found at DN "cn=xxx,ou=xxx,o=xxx" Mon Apr 6 15:03:15 2020 : ERROR: (0) ldap: Failed to retrieve eDirectory password: (-1631) BER manipulation failed I need to disable Universal Password. In my opinion something as "edir=no" & "edir_autz=yes" can solve it, but it doesn't work. You can see in source file rlm_ldap.c that "edir=no" option disables all eDirectory code block. Or any advice? Thank you very much Martin Kozelsky
On Apr 7, 2020, at 5:56 AM, Martin Kozelský <martin.kozelsky@post.cz> wrote:
I am upgrading FreeRADIUS server from 2.2.5 (Debian 8) to 3.0.17 (Centos 8). I use LDAP user authentication against Novell eDirectory, where authentication works in two steps:
1. anonymous searching user in LDAP, 2. binding to LDAP as user with cleartext password, if it is successfull, the authentication&authorization is successfull.
That shouldn't need any magic eDirectory things. Just treat it as a normal LDAP bind. The eDirectory magic is to allow eDirectory to send the clear-text password to FreeRADIUS, for things like MS-CHAP.
It is done by configuration option "edir_account_policy_check=yes"
In new FreeRADIUS I have to use options "edir=yes" & "edir_autz=yes", but Universal Password is required before the step 2. and it fails:
Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Performing search in "o=xxx" with filter "(uid=xxx)", scope "sub" Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: Waiting for search result... Mon Apr 6 15:03:15 2020 : Debug: (0) ldap: User object found at DN "cn=xxx,ou=xxx,o=xxx" Mon Apr 6 15:03:15 2020 : ERROR: (0) ldap: Failed to retrieve eDirectory password: (-1631) BER manipulation failed
So you're nod doing an anonymous search, and you're not doing bind as user. Yes, it will fail.
I need to disable Universal Password. In my opinion something as "edir=no" & "edir_autz=yes" can solve it, but it doesn't work. You can see in source file rlm_ldap.c that "edir=no" option disables all eDirectory code block.
Or any advice?
Configure anonymous search. Configure bind as user. Run the "ldap" module in the "authenticate" section. Delete all eDirectory magic from the configuration. Alan DeKok/
Or any advice?
Configure anonymous search. Configure bind as user. Run the "ldap" module in the "authenticate" section.
Delete all eDirectory magic from the configuration.
Alan DeKok/
It works! Configured: 1. in file sites-enabled/default & inner-tunnel: a) section authorize {} # # The ldap module reads passwords from the LDAP database. ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } b) section authenticate {} # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. # # We do NOT recommend using this. LDAP servers are databases. # They are NOT authentication servers. FreeRADIUS is an # authentication server, and knows what to do with authentication. # LDAP servers do not. # Auth-Type LDAP { ldap } 2. in file mods-enabled/ldap (it is default): # Set to yes if you have eDirectory and want to use the universal # password mechanism. edir = no # Set to yes if you want to bind as the user after retrieving the # Cleartext-Password. This will consume the login grace, and # verify user authorization. edir_autz = no It is all. Thank you Martin Kozelsky
participants (2)
-
Alan DeKok -
Martin Kozelský