Hi everyone. This is my first post to this list. I have set up freeradius (V2.1.12) together with openldap (V2.4.31) and so with some success I think. But I have to say that setting this up using only users-file was a breeze. Setting up freeradius with ldap not so simple. I am using cleartext password in ldap. I am not using any special schema for freeradius in my ldap-setup. My problem is something I noticed many other users has struggled with and that is this part from my debug output: ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} So you say what is the problem, the solution is in your debug message? I have to say it's not. I can't find where to modify my config so this message does not repeat in my log/debug. So please what do I have to do to get rid of this problem? /Sonny
On Wed, Aug 15, 2012 at 8:54 PM, Sonny Taberman <sonny.taberman@lan-master.eu> wrote:
Hi everyone. This is my first post to this list.
I have set up freeradius (V2.1.12) together with openldap (V2.4.31) and so with some success I think. But I have to say that setting this up using only users-file was a breeze. Setting up freeradius with ldap not so simple. I am using cleartext password in ldap. I am not using any special schema for freeradius in my ldap-setup. My problem is something I noticed many other users has struggled with and that is this part from my debug output: ++[pap] returns noop Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...}
So you say what is the problem, the solution is in your debug message?
I have to say it's not. I can't find where to modify my config so this message does not repeat in my log/debug.
So please what do I have to do to get rid of this problem?
Does your ldap.attrmap look like this? https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/ldap.attrma... In particular look for "Password-With-Header" -- Fajar
Hi. 15 aug 2012 kl. 16:01 skrev "Fajar A. Nugraha" <list@fajar.net>:
Does your ldap.attrmap look like this? https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/ldap.attrma...
In particular look for "Password-With-Header"
Yes it look the same exactly. I guess you are referring to this line: checkitem Password-With-Header userPassword So do you mean that I should change that line to: checkitem Password-With-Header cleartextPassword /Sonny
I have to correct my self. The third column is the LDAP-name so that can't be it. I mean that is the container where the password is saved. Or am I missing something here? /Sonny 15 aug 2012 kl. 16:51 skrev Sonny Taberman <sonny.taberman@lan-master.eu>:
Hi.
15 aug 2012 kl. 16:01 skrev "Fajar A. Nugraha" <list@fajar.net>:
Does your ldap.attrmap look like this? https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/ldap.attrma...
In particular look for "Password-With-Header"
Yes it look the same exactly. I guess you are referring to this line: checkitem Password-With-Header userPassword
So do you mean that I should change that line to: checkitem Password-With-Header cleartextPassword
/Sonny
On Wed, Aug 15, 2012 at 9:54 PM, Sonny Taberman <sonny.taberman@lan-master.eu> wrote:
I have to correct my self. The third column is the LDAP-name so that can't be it. I mean that is the container where the password is saved. Or am I missing something here?
Something is setting User-Password check item. If you store the cleartext password as userPassword ldap attribute, then you might have something like this on your ldap.attrmap checkitem User-Password userPassword ... in which case you need to change the second column to Password-With-Header (or probably Cleartext-Password). But since you say the attrmap is identical (are you REALLY sure?), I don't know where else to look. Do you have User-Password somewhere on your attrmap, perhaps? Or users file? Or db? -- Fajar
On 15/08/12 16:13, Fajar A. Nugraha wrote:
Something is setting User-Password check item. If you store the
Bear in mind that rlm_ldap has some quite complex password processing rules hard-coded into the source. In particular, I think that code still, incorrectly, uses PW_USER_PASSWORD as the attribute, then overrides it based on the presence and value of a {type} header: https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_l... In particular, AFAICT if password_attribute is set, and auto_header is unset, then the attribute added will be User-Password.
On Wed, Aug 15, 2012 at 10:45 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 15/08/12 16:13, Fajar A. Nugraha wrote:
Something is setting User-Password check item. If you store the
Bear in mind that rlm_ldap has some quite complex password processing rules hard-coded into the source. In particular, I think that code still, incorrectly, uses PW_USER_PASSWORD as the attribute, then overrides it based on the presence and value of a {type} header:
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_l...
In particular, AFAICT if password_attribute is set, and auto_header is unset, then the attribute added will be User-Password.
Hmm ... I wonder if simply replacing PW_USER_PASSWORD with PW_CLEARTEXT_PASSWORD there will work :) -- Fajar
On 08/16/2012 05:58 AM, Fajar A. Nugraha wrote:
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_l...
In particular, AFAICT if password_attribute is set, and auto_header is unset, then the attribute added will be User-Password.
Hmm ... I wonder if simply replacing PW_USER_PASSWORD with PW_CLEARTEXT_PASSWORD there will work :)
It would probably be an (easy) improvement. IIRC the code in HEAD is different though. On a wider node, I wonder if the code inside rlm_ldap for password_header is even useful anymore - rlm_pap has support for auto-detecting the header, so it's just duplication.
Phil Mayers wrote:
On a wider node, I wonder if the code inside rlm_ldap for password_header is even useful anymore - rlm_pap has support for auto-detecting the header, so it's just duplication.
Yes. The LDAP auto-header code has been deprecated for ~5 years. It will go away in version 3. Alan DeKok.
Phil Mayers wrote:
Bear in mind that rlm_ldap has some quite complex password processing rules hard-coded into the source. In particular, I think that code still, incorrectly, uses PW_USER_PASSWORD as the attribute, then overrides it based on the presence and value of a {type} header:
That's what has been working for ~10 years. I'm wary of breaking peoples systems in a minor release. However, this will change for 3.0. There are major updates to the LDAP module which use the new connection pool, clean up the code, and generally make it more consistent with the rest of the server. Alan DeKok.
On 08/16/2012 08:00 AM, Alan DeKok wrote:
Phil Mayers wrote:
Bear in mind that rlm_ldap has some quite complex password processing rules hard-coded into the source. In particular, I think that code still, incorrectly, uses PW_USER_PASSWORD as the attribute, then overrides it based on the presence and value of a {type} header:
That's what has been working for ~10 years. I'm wary of breaking peoples systems in a minor release.
Oh totally - I'm not suggesting fiddling with the existing code, just noting that the reason the OP was getting the warning about User-Password versus Cleartext-Password was (I guess) rlm_ldap doing it, rather than anything he did.
16 aug 2012 kl. 13:02 skrev Phil Mayers <p.mayers@imperial.ac.uk>:
Oh totally - I'm not suggesting fiddling with the existing code, just noting that the reason the OP was getting the warning about User-Password versus Cleartext-Password was (I guess) rlm_ldap doing it, rather than anything he did.
I kind of like that idea. :-) The part were you blame rlm_ldap instead of me. But everything is working so I'm happy so far. /Sonny
Hi. Fajar. Thanks so much for your help. You helped me to find the problem. In ldap.attrmap I changed this line: checkitem Password-With-Header userPassword to this line: checkitem Cleartext-Password userPassword And now I can not see any error in the debug output. So I have to say my problem are solved. But I do wonder if this is something I should be able to find in the documentation and if so do you have any pointers to where? ( I have read everything I thought. But obviously not) :-) /Sonny 15 aug 2012 kl. 17:13 skrev "Fajar A. Nugraha" <list@fajar.net>:
On Wed, Aug 15, 2012 at 9:54 PM, Sonny Taberman <sonny.taberman@lan-master.eu> wrote:
I have to correct my self. The third column is the LDAP-name so that can't be it. I mean that is the container where the password is saved. Or am I missing something here?
Something is setting User-Password check item. If you store the cleartext password as userPassword ldap attribute, then you might have something like this on your ldap.attrmap
checkitem User-Password userPassword
... in which case you need to change the second column to Password-With-Header (or probably Cleartext-Password). But since you say the attrmap is identical (are you REALLY sure?), I don't know where else to look. Do you have User-Password somewhere on your attrmap, perhaps? Or users file? Or db?
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 15/08/12 15:51, Sonny Taberman wrote:
Hi.
15 aug 2012 kl. 16:01 skrev "Fajar A. Nugraha" <list@fajar.net <mailto:list@fajar.net>>:
Does your ldap.attrmap look like this? https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/ldap.attrma...
In particular look for "Password-With-Header"
Yes it look the same exactly.
So do you mean that I should change that line to: checkitem Password-With-Header cleartextPassword
That depends. Can you give an example, suitably redacted, of what one of the LDAP entries looks like? e.g. does it look like this: dn: cn=user,ou=blah userPassword: someplaintext ...or what?
15 aug 2012 kl. 17:08 skrev Phil Mayers <p.mayers@imperial.ac.uk>:
That depends. Can you give an example, suitably redacted, of what one of the LDAP entries looks like?
e.g. does it look like this:
dn: cn=user,ou=blah userPassword: someplaintext
...or what?
It looks exactly like this. /Sonny
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
Phil Mayers -
Sonny Taberman