A general question that I have not seen in the forum. I want to authenticate against LDAP... BUT I don't want to use the LDAP password as the password in every case. In a remote connectivity solution I want to check the remotepassword attribute for authentication. Problem is (as I see it), that the real LDAP password is not passed in with the remote connectivity request, so the request seems to be failing. If I make the request with the LDAP password, it succeeds. So my question, and I know that there is a caveat about a cleartext password being required for LDAP authentication, is: Can I make a request to freeradius that gets passed to LDAP but only requires the password to be checked against an attribute of the username, NOT the real LDAP password. Any insight/experience or pointers to helpful doc sources would be appreciated. Regards, Lin Richardson
Hi,
So my question, and I know that there is a caveat about a cleartext password being required for LDAP authentication, is: Can I make a request to freeradius that gets passed to LDAP but only requires the password to be checked against an attribute of the username, NOT the real LDAP password.
Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not the default one. Stefan -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not the default one.
User-Password of course. -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Okay, feeling a bit stoopid at the moment. I did not have the User-Password mapped. For some indefensible reason based on our environment I had changed it simply to Password, and never changed it back. I should have tried that mapping. HOWEVER It still doesn't work. I can perform radtest queries username/LDAPpassword, and I get the accept response. If I use the query with username/remotepassword, I get rejected. It appears that rlm_ldap does an initial lookup in LDAP and then tries to reconnect and bind as the user via the unitnumber. It uses (I can only assume) the User-Password to bind, and if that is not set to the value of the LDAP password, it fails and the requst is rejected. I can see this happening in the log snippets included below. Note also that I removed the two $GENERIC$ lines from the ldap.attrmapfile... does that matter? I still don't understand their function. Also, can I make arbitrary variable assignments in the ldap.attrmap file? like Some-Attriabute := %Some-Other-Attribute? ----------------------------------------------------------------- My entire ldap.attrmap (without comments) is as follows: checkItem Account-Enabled isaccountenabled checkItem User-Password remotepassword replyItem Access-List accesslist replyItem Class remotegroup (I am trying to recreate settings from another radius product I would like to replace) --------------------------------------- My command line radtest for a failed and successful attempt bash-3.00# /usr/local/freeradius/bin/radtest testuser "TESTpwd" localhost:1815 35000 SECRET Sending Access-Request of id 50 to 127.0.0.1 port 1815 User-Name = "testuser" User-Password = "TESTpwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 35000 rad_recv: Access-Reject packet from host 127.0.0.1:1815, id=50, length=20 bash-3.00# /usr/local/freeradius/bin/radtest testuser "LDAPpwd" localhost:1815 35000 SECRET Sending Access-Request of id 59 to 127.0.0.1 port 1815 User-Name = "testuser" User-Password = "LDAPpwd" NAS-IP-Address = 255.255.255.255 NAS-Port = 35000 rad_recv: Access-Accept packet from host 127.0.0.1:1815, id=59, length=34 Class = 0x6f753d456d706c6f79656573 --------------------------------------------------- Debug output for the above requests is as follows: (see attached file "radius-debug.txt" for full log) REQUEST ONE FAILED ... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "TESTpwd" rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1 rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/TESTpwd to ldapvip.co.mycompany.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials modcall[authenticate]: module "ldap" returns reject for request 0 modcall: leaving group LDAP (returns reject) for request 0 auth: Failed to validate the user. Login incorrect (rlm_ldap: Bind as user failed): [testuser/TESTpwd] (from client localhost port 35000) Delaying request 0 for 1 seconds Finished request 0 ... REQUEST TWO SUCCESSFUL ... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 1 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "LDAPpwd" rlm_ldap: user DN: unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany rlm_ldap: (re)connect to ldapvip.co.mycompany.com:389, authentication 1 rlm_ldap: bind as unitnumber=547258278,ou=mspr,ou=mycompanypeople,o=mycompany/LDAPpwd to ldapvip.co.mycompany.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 1 modcall: leaving group LDAP (returns ok) for request 1 Login OK: [testuser] (from client localhost port 35000) Sending Access-Accept of id 59 to 127.0.0.1 port 43466 Class = 0x6f753d456d706c6f79656573 Finished request 1 ..... On 8/29/06, Stefan Winter <stefan.winter@restena.lu> wrote:
Modify ldap.attrmap so that _your_ attribute is mapped into User-Name, not the default one.
User-Password of course.
-- Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche
6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I should have tried that mapping.
HOWEVER
It still doesn't work. I can perform radtest queries username/LDAPpassword, and I get the accept response. If I use the query with username/remotepassword, I get rejected.
Okay, I can't verify what I propose now, so I might be wrong, but: ldap is usually called twice: during authorize and authenticate. authorize is the section that pulls attributes out of LDAP using ldap.attrmap and is the one you need. In authenticate, it tries a bind with the user's name and password. This is NOT what you want, because the bind will fail. You could try to _comment out_ the following lines from your authenticate section Auth-Type LDAP { ldap } so that the bind isn't attempted. Not sure if that's enough though, since the ldap in authroze will set Auth-Type to LDAP by itself... But if it doesn't, someone else would need to jump in, that's beyond my experience. Maybe it's necessary to set Auth-Type to PAP in the users file manually then. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
participants (2)
-
Lin Richardson -
Stefan Winter