rlm_ldap: Successful login with empty password
Hello everyone, I am currently testing version 4. I am using the latest commit (3b422574). I noticed that if the LDAP module is configured with an Active Directory, a user can successfully log in with an empty password. I think that this behaviour is not correct or? It also works with the Radius protocol instead of Tacacs and with Alpha version 4. First I perform the login with the correct password and then with an empty password. This is the output of freeradius -X: Info : Copyright 1999-2024 The FreeRADIUS server project and contributors Info : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info : PARTICULAR PURPOSE Info : You may redistribute copies of FreeRADIUS under the terms of the Info : GNU General Public License Info : For more information about these matters, see the file named COPYRIGHT Info : Starting - reading configuration files ... Debug : Including dictionary file "/etc/raddb/dictionary" including configuration file /etc/raddb/radiusd.conf Including files in directory "/etc/raddb/template.d/" including configuration file /etc/raddb/template.d/default including configuration file /etc/raddb/clients.conf Including files in directory "/etc/raddb/global.d/" including configuration file /etc/raddb/global.d/ldap including configuration file /etc/raddb/global.d/python Including files in directory "/etc/raddb/mods-enabled/" including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/client including configuration file /etc/raddb/mods-enabled/delay including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/eap_inner including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/escape including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/ldap including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/stats including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 Including files in directory "/etc/raddb/policy.d/" including configuration file /etc/raddb/policy.d/abfab-tr including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalisation including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/time including configuration file /etc/raddb/policy.d/vendor Including files in directory "/etc/raddb/sites-enabled/" including configuration file /etc/raddb/sites-enabled/default Loaded module process_radius including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/tacacs Loaded module process_tacacs Parsing initial logging configuration. main { prefix = /usr/local/freeradius log { destination = file syslog_facility = daemon local_state_dir = "/usr/local/freeradius/var" logdir = "/usr/local/freeradius/var/log" file = /usr/local/freeradius/var/log/radius/radius.log suppress_secrets = no } } Parsing security rules to bootstrap UID / GID / chroot / etc. main { log { } security { allow_core_dumps = no allow_vulnerable_openssl = no openssl_fips_mode = no } name = radiusd local_state_dir = "/usr/local/freeradius/var" run_dir = /usr/local/freeradius/var/run/radiusd } Parsing main configuration main { server default { namespace = radius radius { Access-Request { session { timeout = 15 max = 4096 } } } Loaded module proto_radius listen { type = Access-Request type = Status-Server transport = udp Loaded module proto_radius_udp udp { ipaddr = * port = 1812 networks { allow = 127/8 allow = 192.0.2/24 } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 60.0 nak_lifetime = 30.0 max_connections = 256 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } listen tcp_auth { type = Access-Request type = Status-Server transport = tcp Loaded module proto_radius_tcp tcp { ipaddr = * port = 1812 networks { allow = 127/8 allow = 192.0.2/24 } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 30.0 nak_lifetime = 30.0 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } listen udp_acct { type = Accounting-Request transport = udp udp { ipaddr = * port = 1813 networks { } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 30.0 nak_lifetime = 30.0 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } } server inner-tunnel { namespace = radius radius { Access-Request { session { timeout = 15 max = 4096 } } } listen { type = Access-Request transport = udp udp { ipaddr = 127.0.0.1 port = 18120 networks { } max_packet_size = 4096 max_attributes = 255 } limit { cleanup_delay = 5.0 idle_timeout = 30.0 nak_lifetime = 30.0 max_connections = 1024 max_clients = 256 max_pending_packets = 256 } priority { Access-Request = high Accounting-Request = low CoA-Request = normal Disconnect-Request = low Status-Server = now } } } server tacacs { namespace = tacacs tacacs { Authentication { session { timeout = 15 max = 4096 max_rounds = 4 } } } Loaded module proto_tacacs listen { type = Authentication-Start type = Authentication-Continue type = Authorization-Request type = Accounting-Request transport = tcp Loaded module proto_tacacs_tcp tcp { ipaddr = * port = 49 networks { } max_packet_size = 4096 max_attributes = 256 } limit { idle_timeout = 60.0 max_connections = 256 } priority { Authentication-Start = high Authentication-Continue = high Authorization-Request = normal Accounting-Request = low } } } log { colourise = yes } security { } sbin_dir = "/usr/local/freeradius/sbin" logdir = /usr/local/freeradius/var/log/radius radacctdir = /usr/local/freeradius/var/log/radius/radacct reverse_lookups = no hostname_lookups = yes max_request_time = 30 pidfile = /usr/local/freeradius/var/run/radiusd/radiusd.pid debug_level = 0 max_requests = 16384 resources { } thread pool { num_networks = 1 Dynamically determined thread.workers = 15 num_workers = 15 openssl_async_pool_init = 64 openssl_async_pool_max = 1024 } migrate { rewrite_update = false forbid_update = false } interpret { } } Switching to configured log settings log debug { destination = null timestamp = yes colourise = no } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 secret = <<< secret >>> require_message_authenticator = no proto = * limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30s } } Debugger not attached trigger { ... } subsection not found, triggers will be disabled #### Instantiating libraries #### #### Bootstrapping process modules #### Bootstrapping process_radius "default" Creating Auth-Type = pap Creating Auth-Type = chap Creating Auth-Type = mschap Creating Auth-Type = digest Creating Auth-Type = ldap Creating Auth-Type = eap Bootstrapping process_radius "inner-tunnel" Bootstrapping process_tacacs "tacacs" Creating Auth-Type = ASCII #### Bootstrapping protocol modules #### Bootstrapping proto_radius "default.radius" client localhost { ipaddr = 192.0.2.1 secret = <<< secret >>> shortname = sample limit { max_connections = 16 lifetime = 0 idle_timeout = 30s } } Bootstrapping proto_radius "default.tcp_auth" Bootstrapping proto_radius "default.udp_acct" Bootstrapping proto_radius "inner-tunnel.radius" Bootstrapping proto_tacacs "tacacs.tacacs" Ignoring "nak_lifetime = 0", forcing to "nak_lifetime = 1" client tacacs { ipaddr = 127.0.0.1 secret = <<< secret >>> proto = tcp limit { max_connections = 16 lifetime = 0 idle_timeout = 30s } } #### Instantiating libraries #### #### Bootstrapping modules #### modules { Loaded module rlm_always always reject { rcode = reject simulcount = 0 mpp = no } always fail { rcode = fail simulcount = 0 mpp = no } always ok { rcode = ok simulcount = 0 mpp = no } always handled { rcode = handled simulcount = 0 mpp = no } always invalid { rcode = invalid simulcount = 0 mpp = no } always disallow { rcode = disallow simulcount = 0 mpp = no } always notfound { rcode = notfound simulcount = 0 mpp = no } always noop { rcode = noop simulcount = 0 mpp = no } always updated { rcode = updated simulcount = 0 mpp = no } Loaded module rlm_attr_filter attr_filter attr_filter.pre-proxy { filename = /etc/raddb/mods-config/attr_filter/pre-proxy key = "%{Realm}" relaxed = no } attr_filter attr_filter.post-proxy { filename = /etc/raddb/mods-config/attr_filter/post-proxy key = "%{Realm}" relaxed = no } attr_filter attr_filter.access_reject { filename = /etc/raddb/mods-config/attr_filter/access_reject key = "%{User-Name}" relaxed = no } attr_filter attr_filter.access_challenge { filename = /etc/raddb/mods-config/attr_filter/access_challenge key = "%{User-Name}" relaxed = no } attr_filter attr_filter.accounting_response { filename = /etc/raddb/mods-config/attr_filter/accounting_response key = "%{User-Name}" relaxed = no } Loaded module rlm_cache cache cache_eap { driver = rbtree Loaded module rlm_cache_rbtree ttl = 15 max_entries = 0 epoch = 0 add_stats = no } Loaded module rlm_chap chap { min_challenge_len = 16 } Loaded module rlm_client Loaded module rlm_delay delay { delay = 1.0s relative = no force_reschedule = no } delay delay_reject { delay = "%{&reply.FreeRADIUS-Response-Delay || 1}" relative = yes force_reschedule = no } Loaded module rlm_detail detail { permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail auth_log { permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail reply_log { permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail pre_proxy_log { permissions = 0600 locking = no escape_filenames = no log_packet_header = no } detail post_proxy_log { permissions = 0600 locking = no escape_filenames = no log_packet_header = no } Loaded module rlm_digest Loaded module rlm_eap eap { require_identity_realm = nai type = md5 Loaded module rlm_eap_md5 type = gtc Loaded module rlm_eap_gtc gtc { challenge = "Password: " auth_type = PAP } type = tls Loaded module rlm_eap_tls tls { tls = tls-common require_client_cert = yes include_length = yes } type = ttls Loaded module rlm_eap_ttls ttls { tls = tls-common virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } type = mschapv2 Loaded module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no auth_type = mschap send_error = no } type = peap Loaded module rlm_eap_peap peap { tls = tls-common virtual_server = "inner-tunnel" require_client_cert = no } ignore_unknown_eap_types = no } eap inner-eap { require_identity_realm = nai default_eap_type = mschapv2 type = md5 type = gtc gtc { challenge = "Password: " auth_type = PAP } type = mschapv2 mschapv2 { with_ntdomain_hack = no auth_type = mschap send_error = no } type = tls tls { tls = tls-peer require_client_cert = yes include_length = yes } ignore_unknown_eap_types = no } Loaded module rlm_exec exec echo { wait = yes input_pairs = &request output_pairs = &reply shell_escape = yes env_inherit = no } Loaded module rlm_escape escape { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } exec { wait = yes input_pairs = &request shell_escape = yes env_inherit = no timeout = 10 } Loaded module rlm_files files { filename = /etc/raddb/mods-config/files/authorize } files files_accounting { filename = /etc/raddb/mods-config/files/accounting } Instantiating ldap ldap { ldap_debug = 0x0000 } global - ldap - libldap vendor: OpenLDAP, version: 20517 global - ldap - extension: X_OPENLDAP global - ldap - extension: THREAD_SAFE global - ldap - extension: SESSION_THREAD_SAFE global - ldap - extension: OPERATION_THREAD_SAFE global - ldap - extension: X_OPENLDAP_REENTRANT global - ldap - extension: X_OPENLDAP_THREAD_SAFE Loaded module rlm_ldap ldap { server = 'ldaps://WIN-DV0HIUUHTPI.freeradius.local:636' identity = 'cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local' password = <<< secret >>> sasl { } options { chase_referrals = yes use_referral_credentials = no referral_depth = 5 rebind = yes net_timeout = 10 idle = 60 probes = 3 interval = 3 srv_timelimit = 3 res_timeout = 10 idle_timeout = 300 reconnection_delay = 10 } tls { ca_file = /etc/raddb/certs/cacert.pem start_tls = no } session_tracking = no user { scope = sub access_positive = yes access_value_negate = "false" access_value_suspend = "suspended" } group { filter = '(objectClass=posixGroup)' scope = sub name_attribute = "cn" membership_attribute = 'memberOf' cacheable_name = yes cacheable_dn = no group_attribute = "ldap-Group" allow_dangling_group_ref = no skip_on_suspend = yes } profile { scope = base } pool { start = 0 min = 1 max = 5 connecting = 2 uses = 0 lifetime = 0 open_delay = 0.2 close_delay = 10.0 manage_interval = 0.2 connection { connect_timeout = 3.0 reconnect_delay = 1 } request { per_connection_max = 2000 per_connection_target = 1000 free_delay = 10.0 } } bind_pool { start = 0 min = 1 max = 1000 connecting = 2 uses = 0 lifetime = 0 open_delay = 0.2 close_delay = 10.0 manage_interval = 0.2 connection { connect_timeout = 3.0 reconnect_delay = 1 } request { per_connection_max = 2000 per_connection_target = 1000 free_delay = 10.0 } } } Loaded module rlm_linelog linelog { destination = file delimiter = "\n" file { permissions = 0600 escape_filenames = no } syslog { severity = "info" } unix { } tcp { server = localhost port = 514 timeout = 2.0 } udp { server = localhost port = 514 timeout = 2.0 } } linelog log_accounting { destination = file delimiter = "\n" file { permissions = 0600 escape_filenames = no } syslog { severity = "info" } unix { } tcp { timeout = 1000 } udp { timeout = 1000 } } linelog log_auth_access_accept { destination = file delimiter = "\n" file { permissions = 0600 escape_filenames = no } syslog { facility = daemon severity = notice } unix { } tcp { timeout = 1000 } udp { timeout = 1000 } } linelog log_auth_access_reject { destination = file delimiter = "\n" file { permissions = 0600 escape_filenames = no } syslog { facility = daemon severity = notice } unix { } tcp { timeout = 1000 } udp { timeout = 1000 } } linelog log_auth_authentication_pass { destination = file delimiter = "\n" file { permissions = 0600 escape_filenames = no } syslog { facility = daemon severity = notice } unix { } tcp { timeout = 1000 } udp { timeout = 1000 } } linelog log_auth_authentication_fail { destination = file delimiter = "\n" file { permissions = 0600 escape_filenames = no } syslog { facility = daemon severity = notice } unix { } tcp { timeout = 1000 } udp { timeout = 1000 } } Loaded module rlm_mschap mschap { normalise = yes use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind { } } exec ntlm_auth { wait = yes shell_escape = yes env_inherit = no } Loaded module rlm_pap pap { normalise = yes } Loaded module rlm_passwd passwd etc_passwd { filename = /etc/passwd format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } Loaded module rlm_radutmp radutmp { check_with_nas = yes permissions = 0600 caller_id = no } radutmp sradutmp { check_with_nas = yes permissions = 0644 caller_id = no } Loaded module rlm_stats stats { } Loaded module rlm_unix unix { } Loaded module rlm_unpack Loaded module rlm_utf8 #### Bootstrapping rlm modules #### Bootstrapping rlm_cache "cache_eap" Bootstrapping rlm_chap "chap" Bootstrapping rlm_delay "delay" Bootstrapping rlm_delay "delay_reject" Bootstrapping rlm_always "disallow" Bootstrapping rlm_eap "eap" Bootstrapping rlm_exec "echo" Bootstrapping rlm_escape "escape" Bootstrapping rlm_exec "exec" Bootstrapping rlm_always "fail" Bootstrapping rlm_always "handled" Bootstrapping rlm_eap "inner-eap" Bootstrapping rlm_always "invalid" Bootstrapping rlm_ldap "ldap" Bootstrapping rlm_linelog "linelog" Bootstrapping rlm_linelog "log_accounting" Bootstrapping rlm_linelog "log_auth_access_accept" Bootstrapping rlm_linelog "log_auth_access_reject" Bootstrapping rlm_linelog "log_auth_authentication_fail" Bootstrapping rlm_linelog "log_auth_authentication_pass" Bootstrapping rlm_mschap "mschap" Bootstrapping rlm_always "noop" Bootstrapping rlm_always "notfound" Bootstrapping rlm_exec "ntlm_auth" Bootstrapping rlm_always "ok" Bootstrapping rlm_always "reject" Bootstrapping rlm_unix "unix" Bootstrapping rlm_always "updated" } # modules #### Instantiating listeners #### Compiling policies in server default { ... } Instantiating proto_radius "default.radius" Instantiating proto_radius "default.tcp_auth" Instantiating proto_radius "default.udp_acct" Instantiating process_radius "default" Compiling policies in - recv Access-Request {...} Reading file /etc/raddb/mods-config/files/authorize /etc/raddb/sites-enabled/default[785]: Ignoring "-sql" as the "sql" module is not enabled. /etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return' /etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering Compiling policies in - send Access-Accept {...} /etc/raddb/sites-enabled/default[1104]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - send Access-Challenge {...} Compiling policies in - send Access-Reject {...} /etc/raddb/sites-enabled/default[1219]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - recv Accounting-Request {...} Reading file /etc/raddb/mods-config/files/accounting Compiling policies in - send Accounting-Response {...} Compiling policies in - recv Status-Server {...} Compiling policies in - authenticate pap {...} Compiling policies in - authenticate chap {...} Compiling policies in - authenticate mschap {...} Compiling policies in - authenticate digest {...} Compiling policies in - authenticate ldap {...} Compiling policies in - authenticate eap {...} Compiling policies in - accounting Start {...} /etc/raddb/sites-enabled/default[1340]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - accounting Stop {...} /etc/raddb/sites-enabled/default[1359]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - accounting Interim-Update {...} /etc/raddb/sites-enabled/default[1389]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - accounting Accounting-On {...} /etc/raddb/sites-enabled/default[1404]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - accounting Accounting-Off {...} /etc/raddb/sites-enabled/default[1419]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - accounting Failed {...} /etc/raddb/sites-enabled/default[80]: radius { ... } section is unused /etc/raddb/sites-enabled/default[150]: dictionary { ... } section is unused Compiling policies in server inner-tunnel { ... } Instantiating proto_radius "inner-tunnel.radius" Instantiating process_radius "inner-tunnel" Compiling policies in - recv Access-Request {...} Reading file /etc/raddb/mods-config/files/authorize /etc/raddb/sites-enabled/inner-tunnel[124]: Ignoring "-sql" as the "sql" module is not enabled. /etc/raddb/policy.d/time[13]: Skipping remaining instructions due to 'return' /etc/raddb/policy.d/time[18]: Please use the 'filter' keyword for attribute filtering Compiling policies in - send Access-Accept {...} /etc/raddb/sites-enabled/inner-tunnel[266]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - send Access-Reject {...} /etc/raddb/sites-enabled/inner-tunnel[308]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - authenticate pap {...} Compiling policies in - authenticate chap {...} Compiling policies in - authenticate mschap {...} Compiling policies in - authenticate eap {...} src/lib/server/virtual_servers.c[311]: radius { ... } section is unused Compiling policies in server tacacs { ... } Instantiating proto_tacacs "tacacs.tacacs" Instantiating process_tacacs "tacacs" Compiling policies in - recv Authentication-Start {...} /etc/raddb/sites-enabled/tacacs[232]: Ignoring "-sql" as the "sql" module is not enabled. Compiling policies in - send Authentication-Pass {...} Compiling policies in - send Authentication-Fail {...} Compiling policies in - send Authentication-GetUser {...} Compiling policies in - send Authentication-GetPass {...} Compiling policies in - recv Authentication-Continue {...} Compiling policies in - authenticate PAP {...} Compiling policies in - authenticate CHAP {...} Compiling policies in - authenticate ldap {...} Compiling policies in - authenticate ASCII {...} Compiling policies in - recv Authorization-Request {...} Compiling policies in - send Authorization-Pass-Add {...} Compiling policies in - recv Accounting-Request {...} Compiling policies in - send Accounting-Success {...} Compiling policies in - send Accounting-Error {...} Compiling policies in - accounting Start {...} Compiling policies in - accounting Watchdog-Update {...} Compiling policies in - accounting Watchdog {...} Compiling policies in - accounting Stop {...} /etc/raddb/sites-enabled/tacacs[32]: tacacs { ... } section is unused #### Instantiating rlm modules #### Instantiating rlm_attr_filter "attr_filter.access_challenge" Reading file /etc/raddb/mods-config/attr_filter/access_challenge Instantiating rlm_attr_filter "attr_filter.access_reject" Reading file /etc/raddb/mods-config/attr_filter/access_reject Instantiating rlm_attr_filter "attr_filter.accounting_response" Reading file /etc/raddb/mods-config/attr_filter/accounting_response Instantiating rlm_attr_filter "attr_filter.post-proxy" Reading file /etc/raddb/mods-config/attr_filter/post-proxy Instantiating rlm_attr_filter "attr_filter.pre-proxy" Reading file /etc/raddb/mods-config/attr_filter/pre-proxy Instantiating rlm_detail "auth_log" Instantiating rlm_cache "cache_eap" Instantiating rlm_chap "chap" Instantiating rlm_detail "detail" Instantiating rlm_digest "digest" Instantiating rlm_always "disallow" Instantiating rlm_eap "eap" Instantiating rlm_passwd "etc_passwd" Instantiating rlm_always "fail" Instantiating rlm_always "handled" Instantiating rlm_eap "inner-eap" inner-eap - Failed to find 'authenticate inner-eap {...}' section. EAP authentication will likely not work Instantiating rlm_always "invalid" Instantiating rlm_ldap "ldap" accounting { reference = "%tolower(type.%{Acct-Status-Type})" } post-auth { reference = "." } Instantiating rlm_linelog "linelog" Instantiating rlm_linelog "log_accounting" Instantiating rlm_linelog "log_auth_access_accept" Instantiating rlm_linelog "log_auth_access_reject" Instantiating rlm_linelog "log_auth_authentication_fail" Instantiating rlm_linelog "log_auth_authentication_pass" Instantiating rlm_mschap "mschap" mschap - Using internal authentication Instantiating rlm_always "noop" Instantiating rlm_always "notfound" Instantiating rlm_always "ok" Instantiating rlm_pap "pap" Instantiating rlm_detail "post_proxy_log" Instantiating rlm_detail "pre_proxy_log" Instantiating rlm_always "reject" Instantiating rlm_detail "reply_log" Instantiating rlm_stats "stats" Instantiating rlm_always "updated" Instantiating _cache_rbtree "cache_eap.rbtree" Instantiating _eap_mschapv2 "eap.mschapv2" Instantiating _eap_peap "eap.peap" tls-config tls-common { chain rsa { format = pem certificate_file = /etc/raddb/certs/rsa/server.pem private_key_password = <<< secret >>> private_key_file = /etc/raddb/certs/rsa/server.key ca_file = /etc/raddb/certs/rsa/ca.pem verify_mode = hard include_root_ca = no } verify_depth = 0 ca_path = /etc/raddb/certs ca_file = /etc/raddb/certs/rsa/ca.pem dh_file = /etc/raddb/certs/dh fragment_size = 1024 cipher_list = "DEFAULT" cipher_server_preference = yes allow_renegotiation = no ecdh_curve = prime256v1 tls_min_version = 1.2 session { mode = auto tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless" name = "%{EAP-Type}%interpreter(server)" lifetime = 1d require_extended_master_secret = yes require_perfect_forward_secrecy = no } verify { mode = all attribute_mode = client-and-issuer check_crl = no } } Instantiating _eap_tls "eap.tls" tls - Using cached TLS configuration from previous invocation Instantiating _eap_ttls "eap.ttls" tls - Using cached TLS configuration from previous invocation Instantiating _eap_mschapv2 "inner-eap.mschapv2" Instantiating _eap_tls "inner-eap.tls" tls-config tls-peer { chain { format = pem certificate_file = /etc/raddb/certs/rsa/server.pem private_key_password = <<< secret >>> private_key_file = /etc/raddb/certs/rsa/server.key ca_file = /etc/raddb/certs/rsa/ca.pem verify_mode = hard include_root_ca = no } verify_depth = 0 ca_path = /etc/raddb/certs ca_file = /etc/raddb/certs/rsa/ca.pem dh_file = /etc/raddb/certs/dh fragment_size = 16384 cipher_server_preference = yes allow_renegotiation = no ecdh_curve = "prime256v1" tls_min_version = 1.2 session { mode = auto tls - A virtual_server must be provided for stateful caching. cache.mode = "auto" rewritten to cache.mode = "stateless" name = "%{EAP-Type}%interpreter(server)" lifetime = 1d require_extended_master_secret = yes require_perfect_forward_secrecy = no } verify { mode = all attribute_mode = client-and-issuer check_crl = no } } Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" No existing connection found - creating new one Scheduler created in single-threaded mode #### Opening listener interfaces #### Listening on radius_udp server * port 1812 bound to virtual server default Listening on radius_tcp server * port 1812 bound to virtual server default Listening on radius_udp server * port 1813 bound to virtual server default Listening on radius_udp server 127.0.0.1 port 18120 bound to virtual server inner-tunnel Listening on tacacs_tcp server * port 49 bound to virtual server tacacs Ready to process requests rlm_ldap - [1] - Signalled to start from HALTED state rlm_ldap - [1] - Connection changed state HALTED -> INIT rlm_ldap - [1] Trunk connection changed state HALTED -> INIT Starting bind operation rlm_ldap - [1] - Connection changed state INIT -> CONNECTING rlm_ldap - [1] Trunk connection changed state INIT -> CONNECTING Bind as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" successful rlm_ldap - [1] - Signalled connected from CONNECTING state rlm_ldap - [1] - Connection changed state CONNECTING -> CONNECTED rlm_ldap - [1] - Connection established rlm_ldap - [1] Trunk connection changed state CONNECTING -> ACTIVE rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base" Got search entry response for message 2 rlm_ldap (ldap) - Directory type: Active Directory rlm_ldap (ldap) - Directory supports LDAP_SERVER_NOTIFICATION_OID proto_tacacs_tcp - starting connection tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 Listening on tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 bound to virtual server tacacs proto_tacacs_tcp - Received Authentication seq_no 1 length 64 tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 (0) Received Authentication-Start ID 1 from 127.0.0.1:53534 to 127.0.0.1:49 length 64 via socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 (0) Packet { (0) Version-Major = Plus (0) Version-Minor = 1 (0) Packet-Type = Authentication (0) Sequence-Number = 1 (0) Flags = None (0) Session-Id = 1085304268 (0) Length = 52 (0) } (0) Packet-Body-Type = Start (0) Action = LOGIN (0) Privilege-Level = Minimum (0) Authentication-Type = PAP (0) Authentication-Service = LOGIN (0) User-Name = "test" (0) Client-Port = "python_tty0" (0) Remote-Address = "python_device" (0) User-Password = "RUrMV9nmkQUSthyy" Worker - Resetting cleanup timer to +30 (0) tacacs { (0) Running 'recv Authentication-Start' from file /etc/raddb/sites-enabled/tacacs (0) recv Authentication-Start { (0) &control.Auth-Type := 658583602 (0) } # recv Authentication-Start (noop) (0) Running 'authenticate ldap' from file /etc/raddb/sites-enabled/tacacs (0) authenticate ldap { (0) | %{&Stripped-User-Name || &User-Name} (0) | || (0) | &Stripped-User-Name (0) | %logical_or() (0) | &Stripped-User-Name (0) (null) (0) | &User-Name (0) | %logical_or(...) (0) | &User-Name (0) | --> test (0) | %logical_or(...) (0) | --> test (0) ldap - Login attempt with password (0) Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" (0) rlm_ldap - [1] Trunk connection assigned request 2 (0) ldap - Performing search in "dc=freeradius,dc=local" with filter "(sAMAccountName=test)", scope "sub" (0) ldap - Got search entry response for message 3 (0) ldap - function - Resuming execution (0) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local" (0) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local" (0) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local" rlm_ldap bind auth - [2] - Signalled to start from HALTED state rlm_ldap bind auth - [2] - Connection changed state HALTED -> INIT rlm_ldap bind auth - [2] Trunk connection changed state HALTED -> INIT Starting bind operation rlm_ldap bind auth - [2] - Connection changed state INIT -> CONNECTING rlm_ldap bind auth - [2] Trunk connection changed state INIT -> CONNECTING Bind as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" successful rlm_ldap bind auth - [2] - Signalled connected from CONNECTING state rlm_ldap bind auth - [2] - Connection changed state CONNECTING -> CONNECTED rlm_ldap bind auth - [2] - Connection established rlm_ldap bind auth - [2] Trunk connection changed state CONNECTING -> ACTIVE (0) ldap - rlm_ldap bind auth - [2] Trunk connection assigned request 3 rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL (0) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local (0) ldap - function - Resuming execution (0) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful rlm_ldap bind auth - [2] Trunk connection changed state FULL -> ACTIVE (0) ldap - ldap (ok) (0) } # authenticate ldap (ok) (0) Running 'send Authentication-Pass' from file /etc/raddb/sites-enabled/tacacs (0) send Authentication-Pass { (0) | %{User-Name} (0) | --> test (0) &reply.Server-Message := Hello test (0) } # send Authentication-Pass (noop) (0) tacacs (ok) (0) } # tacacs (ok) (0) Done request (0) Sending Authentication-Pass ID 2 from 127.0.0.1:49 to 127.0.0.1:53534 length 28 via socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 (0) Packet-Type = Authentication-Pass (0) Server-Message = "Hello test" (0) Finished request proto_tacacs_tcp - cleaning up TIMER - setting idle timeout for connection from client tacacs Network - Socket tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 closed by peer Closing connection tacacs_tcp from client 127.0.0.1 port 53534 to server * port 49 proto_tacacs_tcp - starting connection tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 Listening on tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 bound to virtual server tacacs proto_tacacs_tcp - Received Authentication seq_no 1 length 48 tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 (1) Received Authentication-Start ID 1 from 127.0.0.1:53476 to 127.0.0.1:49 length 48 via socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 (1) Packet { (1) Version-Major = Plus (1) Version-Minor = 1 (1) Packet-Type = Authentication (1) Sequence-Number = 1 (1) Flags = None (1) Session-Id = 718923347 (1) Length = 36 (1) } (1) Packet-Body-Type = Start (1) Action = LOGIN (1) Privilege-Level = Minimum (1) Authentication-Type = PAP (1) Authentication-Service = LOGIN (1) User-Name = "test" (1) Client-Port = "python_tty0" (1) Remote-Address = "python_device" (1) User-Password = "" (1) tacacs { (1) Running 'recv Authentication-Start' from file /etc/raddb/sites-enabled/tacacs (1) recv Authentication-Start { (1) &control.Auth-Type := 658583602 (1) } # recv Authentication-Start (noop) (1) Running 'authenticate ldap' from file /etc/raddb/sites-enabled/tacacs (1) authenticate ldap { (1) | %{&Stripped-User-Name || &User-Name} (1) | || (1) | &Stripped-User-Name (1) | %logical_or() (1) | &Stripped-User-Name (1) (null) (1) | &User-Name (1) | %logical_or(...) (1) | &User-Name (1) | --> test (1) | %logical_or(...) (1) | --> test (1) ldap - Login attempt with password (1) Looking for LDAP connection to "ldaps://WIN-DV0HIUUHTPI.freeradius.local:636" bound as "cn=freeradius-ldap,cn=Users,dc=freeradius,dc=local" (1) rlm_ldap - [1] Trunk connection assigned request 4 (1) ldap - Performing search in "dc=freeradius,dc=local" with filter "(sAMAccountName=test)", scope "sub" (1) ldap - Got search entry response for message 4 (1) ldap - function - Resuming execution (1) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local" (1) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local" (1) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local" (1) rlm_ldap bind auth - [2] Trunk connection assigned request 5 rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL (1) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local (1) ldap - function - Resuming execution (1) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful rlm_ldap bind auth - [2] Trunk connection changed state FULL -> ACTIVE (1) ldap - ldap (ok) (1) } # authenticate ldap (ok) (1) Running 'send Authentication-Pass' from file /etc/raddb/sites-enabled/tacacs (1) send Authentication-Pass { (1) | %{User-Name} (1) | --> test (1) &reply.Server-Message := Hello test (1) } # send Authentication-Pass (noop) (1) tacacs (ok) (1) } # tacacs (ok) (1) Done request (1) Sending Authentication-Pass ID 2 from 127.0.0.1:49 to 127.0.0.1:53476 length 28 via socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 (1) Packet-Type = Authentication-Pass (1) Server-Message = "Hello test" (1) Finished request proto_tacacs_tcp - cleaning up TIMER - setting idle timeout for connection from client tacacs Network - Socket tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 closed by peer Closing connection tacacs_tcp from client 127.0.0.1 port 53476 to server * port 49 ^CSignalled to terminate Exiting normally rlm_ldap - [1] - Signalled to halt from CONNECTED state rlm_ldap - [1] - Connection changed state CONNECTED -> CLOSED rlm_ldap - [1] Trunk connection changed state ACTIVE -> CLOSED rlm_ldap - [1] - Connection changed state CLOSED -> HALTED rlm_ldap - [1] Trunk connection changed state CLOSED -> HALTED rlm_ldap bind auth - [2] - Signalled to halt from CONNECTED state rlm_ldap bind auth - [2] - Connection changed state CONNECTED -> CLOSED rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> CLOSED rlm_ldap bind auth - [2] - Connection changed state CLOSED -> HALTEDrlm_ldap bind auth - [2] Trunk connection changed state CLOSED -> HALTED Thanks in advance for any help, Simon
On 06/05/2024 11:30, Simon N via Freeradius-Users wrote:
I am currently testing version 4. I am using the latest commit (3b422574). I noticed that if the LDAP module is configured with an Active Directory, a user can successfully log in with an empty password. I think that this behaviour is not correct or?
(1) User object found at DN "CN=test,CN=Users,DC=freeradius,DC=local" (1) Using user DN from request "CN=test,CN=Users,DC=freeradius,DC=local" (1) Login attempt as "CN=test,CN=Users,DC=freeradius,DC=local" (1) rlm_ldap bind auth - [2] Trunk connection assigned request 5 rlm_ldap bind auth - [2] Trunk connection changed state ACTIVE -> FULL (1) ldap - Starting bind auth operation as CN=test,CN=Users,DC=freeradius,DC=local (1) ldap - function - Resuming execution (1) Bind as user "CN=test,CN=Users,DC=freeradius,DC=local" was successful
The key here is that AD has allowed the user to bind - FreeRADIUS ldap authentication attempts to bind as the user, having used the appropriate filter to find the user's DN - if AD has accepted that bind, then the user is authenticated. So AD has not required the use of a password. If AD cannot be configured to require a password for LDAP binds, then you should add policy to your FreeRADIUS configuration to reject authentication requests without a password. Nick -- Nick Porter
Thank you for the quick response. I have now reconfigured the Active Directory so that unauthenticated LDAP binds are no longer allowed and so it works correctly. If anyone else has the problem, I used this guide https://blog.lithnet.io/2018/12/disabling-unauthenticated-binds-in.html
participants (2)
-
Nick Porter -
Simon N