LDAP backend and Password Encryption
Hello, Relatively new to both freeradius and ldap here. I'm using the Centos Directory Server, which defaults to SSHA encryption on the userPassword attribute. I'm using freeradius to authenticate unix logins (via pam_radius_auth), VPN (cisco asa) logins, and router/switch vty logins. freeradius verifies existence of the user in various ldap groups, and based upon that logic, either proxies off to a cryptocard server for one-time-password authentication, or authenticates directly against the userPassword attribute value. It would seem that freeradius does not authenticate against SSHA. I did try a few other encryption policies (crypt, md5) and set the password_header value appropriately. This is with version 2.0.5. Any help would be greatly appreciated! Regards, Phil
Phillip Heller wrote:
I'm using the Centos Directory Server, which defaults to SSHA encryption on the userPassword attribute.
That should work.
It would seem that freeradius does not authenticate against SSHA. I did try a few other encryption policies (crypt, md5) and set the password_header value appropriately.
In the LDAP module? That configuration is deprecated, and isn't even documented in 2.0.5. What is the output of debugging mode? If the contents of the "userPassword" field are just the SSHA hash, you will have to tell the FreeRADIUS that the field is the SSHA hash. Otherwise, it has no idea. In general, it's best to use the {ssha} header in the userPassword field. The LDAP server should handle it fine, and FreeRADIUS will use it to Just Do the Right Thing. Alan DeKok.
On Aug 18, 2008, at 10:41 AM, Alan DeKok wrote:
In the LDAP module? That configuration is deprecated, and isn't even documented in 2.0.5.
Ok, I've removed that configuration bit.
What is the output of debugging mode?
rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap:389, authentication 0 rlm_ldap: bind as uid=CRYPTOCARD,dc=somedomain,dc=com/somepassword to ldap:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=somedomain,dc=com, with filter (uid=test) rlm_ldap: Added User-Password = {SSHA}aZj99e5gRcpUEv26zXq7VvTa2apMdKBY44sVyg== in check items rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++++[people] returns ok +++- elsif (group-Ldap-Group == "cn=mgmtro,ou=groups,dc=somedomain,dc=com") returns ok +++ ... skipping elsif for request 0: Preceding "if" was taken ++- elsif (group-Ldap-Group == "cn=nocryptocard,ou=groups,dc=somedomain,dc=com") returns ok ++ ... skipping else for request 0: Preceding "if" was taken !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext- Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User- Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Hopefully this helps. --phil
Phillip Heller wrote:
rlm_ldap: Added User-Password = {SSHA}aZj99e5gRcpUEv26zXq7VvTa2apMdKBY44sVyg== in check items
That should work....
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
You've *deleted* the "pap" entry from the "authorize" section. It should be the last entry in that section. Alan DeKok.
On Aug 18, 2008, at 12:03 PM, Alan DeKok wrote:
Phillip Heller wrote:
rlm_ldap: Added User-Password = {SSHA}aZj99e5gRcpUEv26zXq7VvTa2apMdKBY44sVyg== in check items
That should work....
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
You've *deleted* the "pap" entry from the "authorize" section. It should be the last entry in that section.
Ok, I added that in, but now: rad_check_password: Found Auth-Type !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext- Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User- Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "fnord" rlm_pap: Using clear text password "{SSHA}uNexfodOuLt4WaJuzKvMOaDDm8s7kapAdFEVYw==" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. --phil
Phillip Heller wrote:
Ok, I added that in, but now:
You've been posting tiny pieces of the debug output. The whole debug output includes things like the configuration for the PAP module.
rlm_pap: login attempt with password "fnord" rlm_pap: Using clear text password "{SSHA}uNexfodOuLt4WaJuzKvMOaDDm8s7kapAdFEVYw=="
What is the configuration for the PAP module? You should set "auto_header = yes". Alan DeKok.
On Aug 18, 2008, at 12:32 PM, Alan DeKok wrote:
You've been posting tiny pieces of the debug output. The whole debug output includes things like the configuration for the PAP module.
Sorry about that, in looking at the debugging output myself, I did not see any PAP module configuration. However, adding it to the instantiate section solved that.
rlm_pap: login attempt with password "fnord" rlm_pap: Using clear text password "{SSHA}uNexfodOuLt4WaJuzKvMOaDDm8s7kapAdFEVYw=="
What is the configuration for the PAP module? You should set "auto_header = yes".
Configuration was just: pap { encryption_scheme = auto } Adding "auto_header = yes" solved the problem, all is working now, thanks! --phil
participants (2)
-
Alan DeKok -
Phillip Heller