FreeRadius and MacOsx (LDAP vs Kerberos)
Hello guys, I spent many days testing and working with free-radius and LDAP. I got my app, was working authenticating on my LDAP thru FreeRadius, i seed to be what I was looking for... BUT I tested everything with OpenLDAP on Linux but my "real world", in this case, is OpenLDAP on MAC OSX Server (open-directory) an it seems to be pretty different. I was getting the password from LDAP (on linux) with the field "userPassword" but on the Mac OSX Server implementation the "userPassword" is not used..., all the users have the same base64 encoded fake password, which is (decoded) "*******". I need to authenticate all my users thru freeradius and using the MACosX Server as backend... I suppose that Kerberos is the only way, which remains but I have no experience on Kerberos and Freeradius... I read, there was something to achieve this aim but right now.., I'm not able to find something useful on google... Do you have some idea? Some suggest? I'm freking out :( Cheers, Max
Massimiliano Tommasi wrote:
I tested everything with OpenLDAP on Linux but my "real world", in this case, is OpenLDAP on MAC OSX Server (open-directory) an it seems to be pretty different.
See rlm_opendirectory. It's written by Apple, so I suspect it should work. :) Just list "opendirectory" in the "authorize" and "authenticate" sections. Alan DeKok.
You are pretty right ;) I have just recompiled freeradius with that module, which I need... It seems to be what I need but ... I notice a lack of documentation for that module.. I have found nothing at all :( Could you suggest me some doc or/and example of the conf, please? Max Il 26/07/11 22.40, Alan DeKok ha scritto:
Massimiliano Tommasi wrote:
I tested everything with OpenLDAP on Linux but my "real world", in this case, is OpenLDAP on MAC OSX Server (open-directory) an it seems to be pretty different.
See rlm_opendirectory. It's written by Apple, so I suspect it should work. :)
Just list "opendirectory" in the "authorize" and "authenticate" sections.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Massimiliano Tommasi wrote:
You are pretty right ;) I have just recompiled freeradius with that module, which I need... It seems to be what I need but ... I notice a lack of documentation for that module.. I have found nothing at all :( Could you suggest me some doc or/and example of the conf, please?
I said:
Just list "opendirectory" in the "authorize" and "authenticate" sections.
That's it. It's that simple. It doesn't need more documentation. Alan DeKok.
That's working, Alan. Thanks. Max Il 27/07/11 14.54, Alan DeKok ha scritto:
Massimiliano Tommasi wrote:
You are pretty right ;) I have just recompiled freeradius with that module, which I need... It seems to be what I need but ... I notice a lack of documentation for that module.. I have found nothing at all :( Could you suggest me some doc or/and example of the conf, please?
I said:
Just list "opendirectory" in the "authorize" and "authenticate" sections.
That's it.
It's that simple. It doesn't need more documentation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I got the first step..., FreeRadius and OpenDirectory are "speaking" the same language BUT I'm not able to authenticate the users... On the client side I have a function to get the chap and on the server side I don't save the password in hashing manner (i guess) ... When I try to auth, this is the output: rad_recv: Access-Request packet from host 192.168.58.126 port 55684, id=4, length=234 Vendor-14559-Attr-8 = 0x312e322e33 User-Name = "root" CHAP-Challenge = 0x0edd76439301b38946e175305f4f951f CHAP-Password = 0x0009043c756f718e348b26b5300f0e10ab Service-Type = Login-User Acct-Session-Id = "4e30263e00000001" Framed-IP-Address = 10.10.0.1 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = "00000001" Calling-Station-Id = "00-23-DF-8E-F7-7A" Called-Station-Id = "00-60-E0-E0-A4-D4" NAS-IP-Address = 10.10.0.15 NAS-Identifier = "kenny" WISPr-Logoff-URL = "http://10.10.0.15:3990/logoff" Message-Authenticator = 0x02107a4aa5448c95bcb1c66989947389 +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "root", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[unix] returns updated ++[files] returns noop rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 192.168.58.126 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = CHAP +- entering group CHAP {...} [chap] login attempt by "root" with CHAP password [chap] Cleartext-Password is required for authentication ++[chap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> root attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 10 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.58.126 port 55684, id=4, length=234 Waiting to send Access-Reject to client lan port 55684 - ID: 4 Waking up in 0.9 seconds. Sending delayed reject for request 10 Sending Access-Reject of id 4 to 192.168.58.126 port 55684 Waking up in 4.9 seconds. Cleaning up request 10 ID 4 with timestamp +1898 Ready to process requests. I have some doubt on the Apple side.., is the server asking for clear password on the apple side? I hope you can help me, one more time. Cheers, Max Il 27/07/11 14.54, Alan DeKok ha scritto:
Massimiliano Tommasi wrote:
You are pretty right ;) I have just recompiled freeradius with that module, which I need... It seems to be what I need but ... I notice a lack of documentation for that module.. I have found nothing at all :( Could you suggest me some doc or/and example of the conf, please?
I said:
Just list "opendirectory" in the "authorize" and "authenticate" sections.
That's it.
It's that simple. It doesn't need more documentation.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- :: P u r p l e s r l :: security and network :: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano :: web: www.purplesrl.com :: Massimiliano Tommasi :: email: m.tommasi@purplesrl.com :: phone: +39 02 36687280 :: fax: +39 02 700511249
Massimiliano Tommasi wrote:
I got the first step..., FreeRadius and OpenDirectory are "speaking" the same language BUT I'm not able to authenticate the users...
Please READ the debug output. Honestly, it's not that hard.
On the client side I have a function to get the chap and on the server side I don't save the password in hashing manner (i guess) ...
You can't do CHAP with OpenDirectory. READ the debug output you posted.
I have some doubt on the Apple side.., is the server asking for clear password on the apple side?
You can't do CHAP with OpenDirectory. Alan DeKok.
You are right, Alan. I hoped there was a solution to this but evidently it's not possible. The only way is to disable the chap on the client-side. Regards, Max Il 27/07/11 17.14, Alan DeKok ha scritto:
Massimiliano Tommasi wrote:
I got the first step..., FreeRadius and OpenDirectory are "speaking" the same language BUT I'm not able to authenticate the users...
Please READ the debug output. Honestly, it's not that hard.
On the client side I have a function to get the chap and on the server side I don't save the password in hashing manner (i guess) ...
You can't do CHAP with OpenDirectory. READ the debug output you posted.
I have some doubt on the Apple side.., is the server asking for clear password on the apple side?
You can't do CHAP with OpenDirectory.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Massimiliano Tommasi