Freeradius experts, I am trying to configure freeradius to use openldap as a backend for authentication, but I can't seem to get the passwords to authenticate. It seems to have no problem binding and finding the username (uid). I am using crypt passwords in the ldap userPassword field: userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ= I am not using any radius attributes. I simply want to allow any uid to authenticate. I get these results: rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 User-Name = "tylertj" User-Password = "xxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_ldap: - authorize rlm_ldap: performing user authorization for tylertj rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer rlm_ldap: starting TLS rlm_ldap: bind as / to ldap.beloit.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tylertj authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 Sending Access-Reject of id 60 to 144.89.40.8:59881 What might I be doing wrong? I presume that the ldap server doesn't have to store the passwords in plain text, correct? I can store them in md5 or SHA1 hash if I want, correct? I did uncomment: authenticate { Auth-Type LDAP { ldap } Am I wrong to think this is now a password issue? Tim Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
Use Crypt-Password not User-Password. Ivan Kalik Kalik Informatika ISP Dana 5/3/2007, "Tim Tyler" <tyler@beloit.edu> piše:
Freeradius experts, I am trying to configure freeradius to use openldap as a backend for authentication, but I can't seem to get the passwords to authenticate. It seems to have no problem binding and finding the username (uid). I am using crypt passwords in the ldap userPassword field: userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ=
I am not using any radius attributes. I simply want to allow any uid to authenticate. I get these results:
rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 User-Name = "tylertj" User-Password = "xxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_ldap: - authorize rlm_ldap: performing user authorization for tylertj rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer rlm_ldap: starting TLS rlm_ldap: bind as / to ldap.beloit.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tylertj authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 Sending Access-Reject of id 60 to 144.89.40.8:59881
What might I be doing wrong? I presume that the ldap server doesn't have to store the passwords in plain text, correct? I can store them in md5 or SHA1 hash if I want, correct? I did uncomment:
authenticate { Auth-Type LDAP { ldap }
Am I wrong to think this is now a password issue? Tim
Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
Ivan, Sorry to bother you again. Where should I apply the Crypt-Password? Should I apply it in radiusd.conf or in the ldap.attrmap file? What line were you referring to? My ldap database stores the password in userPassword field. I assume that I should keep password_attribute = userPassword in the radiusd.conf file, correct? Tim At 04:51 PM 3/5/2007, you wrote:
Use Crypt-Password not User-Password.
Ivan Kalik Kalik Informatika ISP
Dana 5/3/2007, "Tim Tyler" <tyler@beloit.edu> pi¹e:
Freeradius experts, I am trying to configure freeradius to use openldap as a backend for authentication, but I can't seem to get the passwords to authenticate. It seems to have no problem binding and finding the username (uid). I am using crypt passwords in the ldap userPassword field: userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ=
I am not using any radius attributes. I simply want to allow any uid to authenticate. I get these results:
rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 User-Name = "tylertj" User-Password = "xxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_ldap: - authorize rlm_ldap: performing user authorization for tylertj rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer rlm_ldap: starting TLS rlm_ldap: bind as / to ldap.beloit.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tylertj authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 Sending Access-Reject of id 60 to 144.89.40.8:59881
What might I be doing wrong? I presume that the ldap server doesn't have to store the passwords in plain text, correct? I can store them in md5 or SHA1 hash if I want, correct? I did uncomment:
authenticate { Auth-Type LDAP { ldap }
Am I wrong to think this is now a password issue? Tim
Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
You need to change password_radius_attribute to Crypt-Password. It defaults to clear password type (User-Password). Ivan Kalik Kalik Informatika ISP Dana 6/3/2007, "Tim Tyler" <tyler@beloit.edu> piše:
Ivan, Sorry to bother you again. Where should I apply the Crypt-Password? Should I apply it in radiusd.conf or in the ldap.attrmap file? What line were you referring to? My ldap database stores the password in userPassword field. I assume that I should keep password_attribute = userPassword in the radiusd.conf file, correct? Tim
At 04:51 PM 3/5/2007, you wrote:
Use Crypt-Password not User-Password.
Ivan Kalik Kalik Informatika ISP
Dana 5/3/2007, "Tim Tyler" <tyler@beloit.edu> piše:
Freeradius experts, I am trying to configure freeradius to use openldap as a backend for authentication, but I can't seem to get the passwords to authenticate. It seems to have no problem binding and finding the username (uid). I am using crypt passwords in the ldap userPassword field: userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ=
I am not using any radius attributes. I simply want to allow any uid to authenticate. I get these results:
rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 User-Name = "tylertj" User-Password = "xxxxxx" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 rlm_ldap: - authorize rlm_ldap: performing user authorization for tylertj rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer rlm_ldap: starting TLS rlm_ldap: bind as / to ldap.beloit.edu:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tylertj authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 Sending Access-Reject of id 60 to 144.89.40.8:59881
What might I be doing wrong? I presume that the ldap server doesn't have to store the passwords in plain text, correct? I can store them in md5 or SHA1 hash if I want, correct? I did uncomment:
authenticate { Auth-Type LDAP { ldap }
Am I wrong to think this is now a password issue? Tim
Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tim Tyler Network Engineer - Beloit College tyler@beloit.edu
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Tim Tyler -
tnt@kalik.co.yu