Re: Freeradius-Users Digest, Vol 63, Issue 95
Alan, changing from User-Password to Password-With-Header brought back the 'No "known good" password' error. I'm going through the rlm_pap.c code to try to see what's going on here. I haven't found any docs yet on what the various mapping possibilities are and what they do. Do you have a pointer to any so I don't keep bugging you and the list? I agree with the 'get it work, then tune it' approach. That's where I'm at now. It's working, I'm just trying to make all the messages go away :) Thanks! Tom Here is a snippet from radiusd -X: [ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items [ldap-server1] looking for check items in directory... [ldap-server1] userPassword -> Password-With-Header == "{crypt}4gOgBZqZgtwIw" [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser authorized to use remote access
Date: Tue, 27 Jul 2010 09:00:23 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Another LDAP/RADIUS integration problem. To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4C4E8407.3030503@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Tom Leach wrote:
Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password userPassword" to "checkItem User-Password userPassword" and it's authenticating now, but I now have a new message in the debug output and I'm not sure if it's a problem, suggestion, or otherwise.
It's a suggestion. But the first step was to get it to work.
I can't change the LDAP directory to contain actual cleartext passwords, so it may just be something that I have to live with.
Change the mapping in ldap.attrmap to:
checkItem Password-With-Header userPassword
That should *still* work, and will remove the warning.
The process here is to first get it to work, and then get it to work better.
Alan DeKok.
Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c. rlm_ldap only likes the Cleartext-Password and User-Password attributes. Would it be a bad thing to patch rlm_ldap.c to also work with Password-With-Header? If not, then I guess I'll have to use User-Password in the ldap dictionary and live with the suggestion message in debug output. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thanks! Tom On 07/28/2010 11:59 AM, Tom Leach wrote:
Alan, changing from User-Password to Password-With-Header brought back the 'No "known good" password' error. I'm going through the rlm_pap.c code to try to see what's going on here. I haven't found any docs yet on what the various mapping possibilities are and what they do. Do you have a pointer to any so I don't keep bugging you and the list? I agree with the 'get it work, then tune it' approach. That's where I'm at now. It's working, I'm just trying to make all the messages go away :) Thanks! Tom
Here is a snippet from radiusd -X: [ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items [ldap-server1] looking for check items in directory... [ldap-server1] userPassword -> Password-With-Header == "{crypt}4gOgBZqZgtwIw" [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-server1] user testuser authorized to use remote access
Date: Tue, 27 Jul 2010 09:00:23 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Another LDAP/RADIUS integration problem. To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <4C4E8407.3030503@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Tom Leach wrote:
Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password userPassword" to "checkItem User-Password userPassword" and it's authenticating now, but I now have a new message in the debug output and I'm not sure if it's a problem, suggestion, or otherwise.
It's a suggestion. But the first step was to get it to work.
I can't change the LDAP directory to contain actual cleartext passwords, so it may just be something that I have to live with.
Change the mapping in ldap.attrmap to:
checkItem Password-With-Header userPassword
That should *still* work, and will remove the warning.
The process here is to first get it to work, and then get it to work better.
Alan DeKok.
Tom Leach wrote:
Grr, off on a goose chase. Problem isn't in rlm_pap.c, but rlm_ldap.c. rlm_ldap only likes the Cleartext-Password and User-Password attributes.
Yes... the message you posted clearly shows it's output from the LDAP mdoule.
Would it be a bad thing to patch rlm_ldap.c to also work with Password-With-Header? If not, then I guess I'll have to use User-Password in the ldap dictionary and live with the suggestion message in debug output.
PLEASE don't do that. I suggested to use Password-With-Header as the preferred alternative. Don't go pick *another* method with *more* warning messages, just because you don't like seeing the warning message produced by the LDAP module. Alan DeKok.
Tom Leach wrote:
Alan, changing from User-Password to Password-With-Header brought back the 'No "known good" password' error. I'm going through the rlm_pap.c code to try to see what's going on here. I haven't found any docs yet on what the various mapping possibilities are and what they do. Do you have a pointer to any so I don't keep bugging you and the list? I agree with the 'get it work, then tune it' approach. That's where I'm at now. It's working, I'm just trying to make all the messages go away :)
PLEASE don't get excited about warning messages. They're just messages. It's not worth it to spend days trying to make the messages go away. If the server works, it works.
Here is a snippet from radiusd -X: [ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items [ldap-server1] looking for check items in directory... [ldap-server1] userPassword -> Password-With-Header == "{crypt}4gOgBZqZgtwIw" [ldap-server1] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
That message will go away in 2.1.10, if you're using Password-With-Header. Alan DeKok.
participants (2)
-
Alan DeKok -
Tom Leach