Issue with OpenLdap and FreeRadius
Hi All, I'm am using FreeRadius 2.1.12 from the CentOS repo and am trying to get it working with OpenLDAP 2.3.43 also from the CentOS repo. Everything is working great until I add and ACL to OpenLDAP that gives self write access to sambaNTpassword. When that line is added FreeRadius will stop authenticating clients. I'm including a link to my log file gathered from radiusd -X > debug.txt. At the end of that file you can see where I turned off the sambaNTpassword and things start working again. Any idea on how I can fix this? https://www.dropbox.com/s/vhuolmhl62fphfd/debug.txt Thanks, -- _ /-\ ndrew Niemantsverdriet Linux System Administrator Academic Computing (406) 238-7360 Rocky Mountain College 1511 Poly Dr. Billings MT, 59102
Anybody have any ideas on this? I'm stuck. Thanks, _ /-\ ndrew On Mon, Aug 18, 2014 at 10:17 AM, Andrew Niemantsverdriet <andrew@rocky.edu> wrote:
Hi All,
I'm am using FreeRadius 2.1.12 from the CentOS repo and am trying to get it working with OpenLDAP 2.3.43 also from the CentOS repo. Everything is working great until I add and ACL to OpenLDAP that gives self write access to sambaNTpassword. When that line is added FreeRadius will stop authenticating clients.
I'm including a link to my log file gathered from radiusd -X > debug.txt. At the end of that file you can see where I turned off the sambaNTpassword and things start working again. Any idea on how I can fix this?
https://www.dropbox.com/s/vhuolmhl62fphfd/debug.txt
Thanks, -- _ /-\ ndrew Niemantsverdriet Linux System Administrator Academic Computing (406) 238-7360 Rocky Mountain College 1511 Poly Dr. Billings MT, 59102
-- _ /-\ ndrew Niemantsverdriet Linux System Administrator Academic Computing (406) 238-7360 Rocky Mountain College 1511 Poly Dr. Billings MT, 59102
Andrew Niemantsverdriet wrote:
Anybody have any ideas on this? I'm stuck.
Read the debug output. It's simple. [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? So... that's the problem. Don't blame FreeRADIUS if OpenLDAP isn't returning a password for the user. And when it works: ldap] expand: dc=localdomain -> dc=localdomain [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=localdomain, with filter (uid=stewart.shoe) [ldap] checking if remote access for stewart.shoe is allowed by uid [ldap] looking for check items in directory... [ldap] sambantpassword -> NT-Password == 0x4434324535354546393031414334453743383444463546434432304135324235 [ldap] looking for reply items in directory... See? Pretty simple. Alan DeKok.
I guess where I am confused is that it works when I don't have write access to sambantpassword in OpenLDAP but fails as soon as I grant that in an ACL. On Wed, Aug 20, 2014 at 9:10 AM, Alan DeKok <aland@deployingradius.com> wrote:
Andrew Niemantsverdriet wrote:
Anybody have any ideas on this? I'm stuck.
Read the debug output. It's simple.
[ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
So... that's the problem.
Don't blame FreeRADIUS if OpenLDAP isn't returning a password for the user.
And when it works:
ldap] expand: dc=localdomain -> dc=localdomain [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=localdomain, with filter (uid=stewart.shoe) [ldap] checking if remote access for stewart.shoe is allowed by uid [ldap] looking for check items in directory... [ldap] sambantpassword -> NT-Password == 0x4434324535354546393031414334453743383444463546434432304135324235 [ldap] looking for reply items in directory...
See? Pretty simple.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- _ /-\ ndrew Niemantsverdriet Linux System Administrator Academic Computing (406) 238-7360 Rocky Mountain College 1511 Poly Dr. Billings MT, 59102
Andrew Niemantsverdriet wrote:
I guess where I am confused is that it works when I don't have write access to sambantpassword in OpenLDAP but fails as soon as I grant that in an ACL.
<shrug> I don't know. All I know is that in one situation, LDAP returns a password. In the other, it doesn't. As with many things RADIUS, the problem lies somewhere else. FreeRADIUS is only reporting the error, not creating it. Alan DeKok.
Alan, Alright, thanks for help deciphering the log file. I will see if I can track down why OpenLDAP stops returning a password if sambaNTPassword has write access. On Wed, Aug 20, 2014 at 2:25 PM, Alan DeKok <aland@deployingradius.com> wrote:
Andrew Niemantsverdriet wrote:
I guess where I am confused is that it works when I don't have write access to sambantpassword in OpenLDAP but fails as soon as I grant that in an ACL.
<shrug> I don't know. All I know is that in one situation, LDAP returns a password. In the other, it doesn't.
As with many things RADIUS, the problem lies somewhere else. FreeRADIUS is only reporting the error, not creating it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- _ /-\ ndrew Niemantsverdriet Linux System Administrator Academic Computing (406) 238-7360 Rocky Mountain College 1511 Poly Dr. Billings MT, 59102
On 18.08.2014 18:17, Andrew Niemantsverdriet wrote:
I'm am using FreeRadius 2.1.12 from the CentOS repo and am trying to get it working with OpenLDAP 2.3.43 also from the CentOS repo. Everything is working great until I add and ACL to OpenLDAP that gives self write access to sambaNTpassword. When that line is added FreeRadius will stop authenticating clients.
Do you use an ACL like: access to attrs=sambaNTpassword by self =w ? If so, then you granted write access, but no read access. You need to use access to attrs=sambaNTpassword by self =rw Note that there is a difference between writing access to attrs=sambaNTpassword by self write and access to attrs=sambaNTpassword by self =w The first one includes read access, the second one does not. Use the slapacl utility to test your ACLs and see the difference. Grüße, Sven.
Sven, Awesome, thanks for the hint. That was the issue now everything is working as expected. Thanks! _ /-\ ndrew On Thu, Aug 21, 2014 at 6:23 AM, Sven Hartge <sven@svenhartge.de> wrote:
On 18.08.2014 18:17, Andrew Niemantsverdriet wrote:
I'm am using FreeRadius 2.1.12 from the CentOS repo and am trying to get it working with OpenLDAP 2.3.43 also from the CentOS repo. Everything is working great until I add and ACL to OpenLDAP that gives self write access to sambaNTpassword. When that line is added FreeRadius will stop authenticating clients.
Do you use an ACL like:
access to attrs=sambaNTpassword by self =w
? If so, then you granted write access, but no read access. You need to use
access to attrs=sambaNTpassword by self =rw
Note that there is a difference between writing
access to attrs=sambaNTpassword by self write
and
access to attrs=sambaNTpassword by self =w
The first one includes read access, the second one does not.
Use the slapacl utility to test your ACLs and see the difference.
Grüße, Sven.
-- _ /-\ ndrew Niemantsverdriet Linux System Administrator Academic Computing (406) 238-7360 Rocky Mountain College 1511 Poly Dr. Billings MT, 59102
participants (3)
-
Alan DeKok -
Andrew Niemantsverdriet -
Sven Hartge