Hello, I'm using freeradius 2.1.10 and I want to use ldap like a backend in authorize section to take userPassword attribute (unix crypt) to authenticate the user. My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request. Is this posible? What are my posibilities? Here is my actual configuration in my test: LDAP MODULE ldap ldapPerson{ server = "ldap.xxxx" basedn = "ou=people,dc=unex,dc=es" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration pap } authenticate { Auth-Type PAP { pap } } } DEBUG rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201, length=58 User-Name = "aigallardo@unex.es" User-Password = "pass" server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm "unex.es" for User-Name = "aigallardo@unex.es" [suffix] Found realm "unex.es" [suffix] Adding Stripped-User-Name = "aigallardo" [suffix] Adding Realm = "unex.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} -> aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to XXXXX :389, authentication 0 [ldapPerson] bind as / to XXXX :389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server test Thank you very much and sorry for my eglish. ++ Ana Gallardo Gómez ++
On Wed, Dec 01, 2010 at 12:48:14PM +0100, Ana Gallardo wrote:
My problem is: the ldap server don't have public key that an admin user (who bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request.
authenticate { Auth-Type PAP { pap } }
Add LDAP into the authenticate section, so that it simply tries to re-bind with the provided credentials? Like this: Auth-Type LDAP { ldapPerson } -- 2. That which causes joy or happiness.
Josip, thanks for your response. Add LDAP into the authenticate section, so that it simply tries to re-bind
with the provided credentials? Like this:
Auth-Type LDAP { ldapPerson }
I try this configuration too, but it doesn't work for me. Freeradius doesn't set the value to Auth-Type attribute. I thik that this is because the userPassword attribute is only visible to each particular user when binds. rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130, length=58 User-Name = "aigallardo@unex.es" User-Password = "XXXX" server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm "unex.es" for User-Name = "aigallardo@unex.es" [suffix] Found realm "unex.es" [suffix] Adding Stripped-User-Name = "aigallardo" [suffix] Adding Realm = "unex.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} -> aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to ldap.unex.es:389, authentication 0 [ldapPerson] bind as / to ldap.unex.es:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez,Dpto. Tecno. Computadores y Comuni.,," WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server test Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++
On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote:
Add LDAP into the authenticate section, so that it simply tries to re-bind with the provided credentials? Like this:
Auth-Type LDAP { ldapPerson }
I try this configuration too, but it doesn't work for me. Freeradius doesn't set the value to Auth-Type attribute. I thik that this is because the userPassword attribute is only visible to each particular user when binds.
This is an orthogonal issue; you don't have to allow anyone to read the value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request. Then the LDAP server verifies it against whatever it needs in the background, and you don't care.
# Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [ldapPerson] bind as / to ldap.unex.es:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful
This is log output for an anonymous bind in authorize section ("bind as / to" means "bind as <no user>/<no password>"). What is the output for the authenticated bind, that happens in the authenticate section? -- 2. That which causes joy or happiness.
Hello Josip and thank you again for your response. This is an orthogonal issue; you don't have to allow anyone to read the
value of the userPassword attribute, you just have to get the FR ldap module to *bind* to the LDAP server with the username and password from the request.
Ok, now I know. This is log output for an anonymous bind in authorize section ("bind as /
to" means "bind as <no user>/<no password>"). What is the output for the authenticated bind, that happens in the authenticate section?
There is no authenticated bind because Freeradius doesn't set Auth-Type and... ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thanks ++ Ana Gallardo Gómez ++
Hello again. Ok, now I can authenticate an user using LDAP. I'm using freeradius 2.1.10 and I want to use ldap like a backend in
authorize section to take userPassword attribute (unix crypt) to authenticate the user.
My problem is: the ldap server don't have public key that an admin user (who
bind) can take. So I have to bind in the authorize section with the user and password (clear text) in the request.
Is this posible?
I have read that this is not ok http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.h...
What are my posibilities?
I think that what I can do is: - in authorize section bind like anonymous user and take the public attributes that I need to authorize the user. - in authenticate section bind like the user who want to access The configuration that work: LDAP MODULE ldap ldapPerson{ server = "xxx" basedn = "ou=people,dc=unex,dc=es" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldapPerson.attrmap edir_account_policy_check = no set_auth_type = yes } SERVER server test{ authorize { suffix files ldapPerson expiration update control { Auth-Type := "LDAP" } } authenticate { Auth-Type LDAP { ldapPerson } } } DEBUG rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145, length=58 User-Name = "aigallardo@unex.es" User-Password = "xxxx" server test { # Executing section authorize from file /etc/freeradius/sites-enabled/test +- entering group authorize {...} [suffix] Looking up realm "unex.es" for User-Name = "aigallardo@unex.es" [suffix] Found realm "unex.es" [suffix] Adding Stripped-User-Name = "aigallardo" [suffix] Adding Realm = "unex.es" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [files] users: Matched entry DEFAULT at line 33 ++[files] returns ok [ldapPerson] performing user authorization for aigallardo [ldapPerson] expand: %{Stripped-User-Name} -> aigallardo [ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo) [ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es [ldapPerson] ldap_get_conn: Checking Id: 0 [ldapPerson] ldap_get_conn: Got Id: 0 [ldapPerson] attempting LDAP reconnection [ldapPerson] (re)connect to x.x.x.x:389, authentication 0 [ldapPerson] bind as / to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter (uid=aigallardo) [ldapPerson] No default NMAS login sequence [ldapPerson] looking for check items in directory... [ldapPerson] looking for reply items in directory... [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez..." WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldapPerson] user aigallardo authorized to use remote access [ldapPerson] ldap_release_conn: Release Id: 0 ++[ldapPerson] returns ok ++[expiration] returns noop ++[control] returns noop Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/test +- entering group LDAP {...} [ldapPerson] login attempt by "aigallardo" with password "xxxx" [ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es [ldapPerson] (re)connect to x.x.x.x:389, authentication 1 [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/xxxxx to x.x.x.x:389 [ldapPerson] waiting for bind result ... [ldapPerson] Bind was successful [ldapPerson] user aigallardo authenticated succesfully ++[ldapPerson] returns ok } # server test Sending Access-Accept of id 145 to x.x.x.x port 48259 Nombre-Completo = "Ana-Isabel Gallardo Gomez..." I don't know if this is the best way to solve my problem, I someone have something better, I would like to know. Thank you very much and sorry for my english. ++ Ana Gallardo Gómez ++
On Thu, Dec 02, 2010 at 02:37:43PM +0100, Ana Gallardo wrote:
I have read that this is not ok
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.h...
OK, and you're not doing that which is described above, so you're fine.
The configuration that work:
ldap ldapPerson{ set_auth_type = yes }
I think this is the catch. I don't have this particular option in my config, but I see now that it looks like they're all 2.1.8.
authorize { ldapPerson update control { Auth-Type := "LDAP" } }
This seems redundant. If ldapPerson already ran, with the set_auth_type option, ... -- 2. That which causes joy or happiness.
On Thu, Dec 02, 2010 at 03:48:34PM +0100, Josip Rodin wrote:
The configuration that work:
ldap ldapPerson{ set_auth_type = yes }
I think this is the catch. I don't have this particular option in my config, but I see now that it looks like they're all 2.1.8.
I re-checked the documentation and I see now that it had nothing to do with versions, but a simple fact that the LDAP module defers to any other Auth-Type - and you had a PAP handler there. -- 2. That which causes joy or happiness.
participants (2)
-
Ana Gallardo -
Josip Rodin