After fighting with an upgrade from freeradius-1.0.3 to 2.1.1, both do a simple LDAP authorize/PAP authenticate (no tls, no eap, no chap, no inner-tunnel, nothing else), I've stumbled on what seems to fix my problem, and am curious if my fix makes sense, and will continue to be supported. I'm not including full debug output and config files in this post because I'm not looking for help on what I've done wrong, just whether this part of the configuration is valid. I'm happy to provide more detail if its desired. Built from freeradius-server-2.1.1 source, downloaded about 2 weeks ago from the Freeradius main site, on FreeBSD 7-1-PRERELEASE. With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP server, and after putting in a Cleartext-Passwrod entry in ldap.attrsmap, rlm_ldap would authorize fine, and everything seemed ok, except I couldn't get pap to understand the encryption scheme: [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test/testing] (from client localhost port 1) No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output "auto_headers = no". So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails. Is it only some odd ball, simplistic configurations like mine that this should be required? I was unable to find any mention of this as an ldap module setting except in rlm_ldap.c, which I didn't think to look in until after the fact. Thank you for your time, tim
Tim Palmer wrote:
With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP server, and after putting in a Cleartext-Passwrod entry in ldap.attrsmap,
That's the issue. DON'T do that.
rlm_ldap would authorize fine, and everything seemed ok, except I couldn't get pap to understand the encryption scheme:
[pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm."
Because you told it that the userPassword LDAP field was a clear-text password. The PAP module is *supposed* to do the "auto-header" thing itself. It can't, becaue you told it that the above text WAS the password.
Is it only some odd ball, simplistic configurations like mine that this should be required? I was unable to find any mention of this as an ldap module setting except in rlm_ldap.c, which I didn't think to look in until after the fact.
The LDAP auto-header configuration is deprecated. The PAP module is supposed to do that work now. Alan DeKok.
No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output "auto_headers = no".
So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails.
Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works? Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output "auto_headers = no".
So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails.
Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That is correct. I haven't yet tried disabling auto_header in pap module with it enabled in ldap, but enable/disable in ldap module, with it set in pap gives repeatable joy/no joy.
I had a look at the code and from what I see password value should be added to a User-Password attribute. Can you post the whole debug with auto_header disabled in ldap (and enabled in pap). You haven't mapped userPassword to Cleartext-Password by any chance? Ivan Kalik Kalik Informatika ISP Dana 11/11/2008, "Tim Palmer" <tpalmer@bestweb.net> piše:
tnt@kalik.net wrote:
No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output "auto_headers = no".
So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails.
Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That is correct. I haven't yet tried disabling auto_header in pap module with it enabled in ldap, but enable/disable in ldap module, with it set in pap gives repeatable joy/no joy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. ======= Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword ============================== modules/ldap: ldap { server = "xxx.xxx.xxx.xxx" identity = "cn=radiusd,ou=services,dc=xxxx,dc=net" password = xxxxx basedn = "ou=xxxx.net,ou=domains,dc=xxxxx,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" ldap_connections_number = 10 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # require_cert = "demand" } default_profile = "cn=default,ou=radiusprofiles,dc=xxxxx,dc=net" dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = radiusGroupName groupmembership_filter = "(&(uid=%{Stripped-User-Name:=%{User-Name}}))(objectclass=radiusProfile)" groupmembership_attribute = radiusGroupName password_attribute = userPassword password_header = "{crypt}" # auto_header = "yes" # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes compare_check_items = no do_xlat = no set_auth_type = yes #ldap_debug = 0x0028 } ================================================= modules/pap: pap { auto_header = yes } ================================================= DEBUG STARTUP # ../../sbin/radiusd -X FreeRADIUS Version 2.1.1, for host i386-unknown-freebsd7.0, built on Nov 1 2008 at 08:57:35 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/freeradius/etc/raddb/radiusd.conf including configuration file /usr/local/freeradius/etc/raddb/proxy.conf including configuration file /usr/local/freeradius/etc/raddb/clients.conf including files in directory /usr/local/freeradius/etc/raddb/modules/ including configuration file /usr/local/freeradius/etc/raddb/modules/acct_unique including configuration file /usr/local/freeradius/etc/raddb/modules/always including configuration file /usr/local/freeradius/etc/raddb/modules/attr_filter including configuration file /usr/local/freeradius/etc/raddb/modules/attr_rewrite including configuration file /usr/local/freeradius/etc/raddb/modules/chap including configuration file /usr/local/freeradius/etc/raddb/modules/checkval including configuration file /usr/local/freeradius/etc/raddb/modules/counter including configuration file /usr/local/freeradius/etc/raddb/modules/detail including configuration file /usr/local/freeradius/etc/raddb/modules/detail.example.com including configuration file /usr/local/freeradius/etc/raddb/modules/detail.log including configuration file /usr/local/freeradius/etc/raddb/modules/digest including configuration file /usr/local/freeradius/etc/raddb/modules/echo including configuration file /usr/local/freeradius/etc/raddb/modules/etc_group including configuration file /usr/local/freeradius/etc/raddb/modules/exec including configuration file /usr/local/freeradius/etc/raddb/modules/expiration including configuration file /usr/local/freeradius/etc/raddb/modules/expr including configuration file /usr/local/freeradius/etc/raddb/modules/files including configuration file /usr/local/freeradius/etc/raddb/modules/inner-eap including configuration file /usr/local/freeradius/etc/raddb/modules/ippool including configuration file /usr/local/freeradius/etc/raddb/modules/krb5 including configuration file /usr/local/freeradius/etc/raddb/modules/ldap including configuration file /usr/local/freeradius/etc/raddb/modules/linelog including configuration file /usr/local/freeradius/etc/raddb/modules/logintime including configuration file /usr/local/freeradius/etc/raddb/modules/mac2ip including configuration file /usr/local/freeradius/etc/raddb/modules/mac2vlan including configuration file /usr/local/freeradius/etc/raddb/modules/mschap including configuration file /usr/local/freeradius/etc/raddb/modules/pam including configuration file /usr/local/freeradius/etc/raddb/modules/pap including configuration file /usr/local/freeradius/etc/raddb/modules/passwd including configuration file /usr/local/freeradius/etc/raddb/modules/policy including configuration file /usr/local/freeradius/etc/raddb/modules/preprocess including configuration file /usr/local/freeradius/etc/raddb/modules/radutmp including configuration file /usr/local/freeradius/etc/raddb/modules/realm including configuration file /usr/local/freeradius/etc/raddb/modules/smbpasswd including configuration file /usr/local/freeradius/etc/raddb/modules/sql_log including configuration file /usr/local/freeradius/etc/raddb/modules/sradutmp including configuration file /usr/local/freeradius/etc/raddb/modules/unix including configuration file /usr/local/freeradius/etc/raddb/modules/wimax including configuration file /usr/local/freeradius/etc/raddb/sql.conf including files in directory /usr/local/freeradius/etc/raddb/sites-enabled/ including configuration file /usr/local/freeradius/etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /usr/local/freeradius/etc/raddb/dictionary main { prefix = "/usr/local/freeradius" localstatedir = "/usr/local/freeradius/var" logdir = "/usr/local/freeradius/var/log/radius" libdir = "/usr/local/freeradius/lib" radacctdir = "/usr/local/freeradius/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/freeradius/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/freeradius/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = no } } client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" login = "root" password = "pass" } client xxxxx { require_message_authenticator = no secret = "xxxxx" shortname = "nagios" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm bestweb.net { authhost = LOCAL } realm LOCAL { authhost = LOCAL accthost = LOCAL } realm NULL { authhost = LOCAL accthost = LOCAL } realm DEFAULT { authhost = LOCAL accthost = LOCAL } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/freeradius/etc/raddb/huntgroups" hints = "/usr/local/freeradius/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/freeradius/etc/raddb/users" acctusersfile = "/usr/local/freeradius/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/freeradius/etc/raddb/preproxy_users" compat = "no" } [/usr/local/freeradius/etc/raddb/users]:3 WARNING! Changing 'Service-Type =' to 'Service-Type ==' for comparing RADIUS attribute in check item list for user systems Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "xxxxx" port = 389 password = "xxxxx" identity = "cn=radiusd,ou=services,dc=xxxxx,dc=net" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" default_profile = "cn=default,ou=radiusprofiles,dc=xxxxxx,dc=net" password_header = "{crypt}" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "radiusGroupName" groupmembership_filter = "(&(uid=%{Stripped-User-Name:=%{User-Name}}))(objectclass=radiusProfile)" groupmembership_attribute = "radiusGroupName" dictionary_mapping = "/usr/local/freeradius/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 10 compare_check_items = no do_xlat = no set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /usr/local/freeradius/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP userPassword mapped to RADIUS Cleartext-Password rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x811a2a0 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 1645 } listen { type = "acct" ipaddr = 127.0.0.1 port = 1646 } Listening on authentication address 127.0.0.1 port 1645 Listening on accounting address 127.0.0.1 port 1646 Listening on proxy address 127.0.0.1 port 1647 Ready to process requests. ============================ Authentication attempt rad_recv: Access-Request packet from host 127.0.0.1 port 50442, id=123, length=56 User-Name = "test" User-Password = "testing" NAS-IP-Address = xxxxxxx NAS-Port = 1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "test" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net -> ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 209.94.103.52:389, authentication 0 rlm_ldap: bind as cn=radiusd,ou=services,dc=xxxxx,dc=net/xxxxx to xxx.xxx.xxx.xxx:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (uid=test) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (&(uid=%{Stripped-User-Name:=%{User-Name}}))(objectclass=radiusProfile) -> (&(uid=))(objectclass=radiusProfile) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (&(radiusGroupName=suspended)(&(uid=))(objectclass=radiusProfile)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=test,ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group suspended not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net -> ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net [files] expand: (&(uid=%{Stripped-User-Name:=%{User-Name}}))(objectclass=radiusProfile) -> (&(uid=))(objectclass=radiusProfile) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (&(radiusGroupName=disabled)(&(uid=))(objectclass=radiusProfile)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=test,ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net -> ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net [files] expand: (&(uid=%{Stripped-User-Name:=%{User-Name}}))(objectclass=radiusProfile) -> (&(uid=))(objectclass=radiusProfile) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (&(radiusGroupName=localdialup)(&(uid=))(objectclass=radiusProfile)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=test,ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (objectclass=*) rlm_ldap::ldap_groupcmp: User found in group localdialup rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 16 ++[files] returns ok [ldap] performing user authorization for test [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=test) [ldap] expand: ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net -> ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=xxxxx.net,ou=domains,dc=xxxxx,dc=net, with filter (uid=test) rlm_ldap: performing search in cn=localdialup,ou=radiusprofiles,dc=xxxxx,dc=net, with filter (objectclass=radiusprofile) rlm_ldap: radiusAuthType -> Auth-Type == PAP rlm_ldap: radiusFramedMTU -> Framed-MTU = 1500 rlm_ldap: radiusFramedIPNetmask -> Framed-IP-Netmask = 255.255.255.254 rlm_ldap: radiusFramedProtocol -> Framed-Protocol = PPP rlm_ldap: radiusServiceType -> Service-Type = Framed-User [ldap] Added User-Password = $1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. in check items [ldap] looking for check items in directory... rlm_ldap: userPassword -> Cleartext-Password == "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [test/testing] (from client localhost port 1) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.8 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 123 to 127.0.0.1 port 50442 Framed-MTU = 1500 Framed-IP-Netmask = 255.255.255.254 Framed-Protocol = PPP Service-Type = Framed-User Waking up in 4.9 seconds. tnt@kalik.net wrote:
I had a look at the code and from what I see password value should be added to a User-Password attribute. Can you post the whole debug with auto_header disabled in ldap (and enabled in pap). You haven't mapped userPassword to Cleartext-Password by any chance?
Ivan Kalik Kalik Informatika ISP
Dana 11/11/2008, "Tim Palmer" <tpalmer@bestweb.net> piše:
tnt@kalik.net wrote:
No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output "auto_headers = no".
So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails.
Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That is correct. I haven't yet tried disabling auto_header in pap module with it enabled in ldap, but enable/disable in ldap module, with it set in pap gives repeatable joy/no joy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Tim Palmer BestWeb Support
Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that:
ldap.attrmap: checkItem Cleartext-Password userPassword
OK. Debug will moan about using User-Password if you are using clear text password. It will moan, replace it with Cleartext-Password - and things will still work. If you are using clear text passwords you can do this mapping to shut it up. Better practice would be to map it to something like radiusCleartextPassword and copy userPassword field there. But mapping encrypted passwords to Cleartext-Password is clearly wrong. Remove that mapping and auto_headers in pap will work. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that:
ldap.attrmap: checkItem Cleartext-Password userPassword
OK. Debug will moan about using User-Password if you are using clear text password. It will moan, replace it with Cleartext-Password - and things will still work. If you are using clear text passwords you can do this mapping to shut it up. Better practice would be to map it to something like radiusCleartextPassword and copy userPassword field there.
But mapping encrypted passwords to Cleartext-Password is clearly wrong. Remove that mapping and auto_headers in pap will work.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What you say makes complete sense, but its still not working for me unless I have ldap do the auto_header. However, I'd done several things with this machine in this process, so I'm going to rebuild it and start from scratch, now that I am clear on exactly how this bit is supposed to work. Thank you for your input, tim
Le mardi 11 novembre 2008 20:48, Tim Palmer a écrit :
[pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." [pap] Passwords don't match
For me there's no sense to have : [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." Is your clear text password is {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. ? No ? As said Alan Devok : Because you told it that the userPassword LDAP field was a clear-text password. The PAP module is *supposed* to do the "auto-header" thing itself. It can't, because you told it that the above text WAS the password.
Tim Palmer wrote:
Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. ======= Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that:
ldap.attrmap: checkItem Cleartext-Password userPassword
Don't do this. Delete this line. It's the SOURCE of all the problems. Alan DeKok.
Alan DeKok wrote:
Tim Palmer wrote:
Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. ======= Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that:
ldap.attrmap: checkItem Cleartext-Password userPassword
Don't do this. Delete this line. It's the SOURCE of all the problems.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To no one's surprise, you all are correct that auto_header shouldn't be needed in the ldap module. The Cleartext-Password mapping didn't help, but my base, original problem was carrying over a "password_header = "{crypt}" entry in the ldap module from our old (1.0.1) configuration. Thanks for making it clear I shouldn't accept something just because it works, if it isn't how it should work. -- Tim Palmer BestWeb Support
participants (5)
-
Alan DeKok -
Laurent Besson -
lolo -
Tim Palmer -
tnt@kalik.net