Issue with PAP/LDAP authentication after upgrade FR 2.0.5 to FR 2.1.1
Hi Gurus, I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some authentications stop working. For these specific authentications the ldap module is used to retrieve the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is used to compare the passwords (auto_header is turned on in the pap module). Before 2.1.1 everything was working. After 2.1.1, I get Authentication Failures because passwords don't match. I've analysed the debug log and I wonder if the auto_header of the pap module is really working! Here is an abstract of the radius debug logs (usernames,passwords, and IP address have been obfuscated): rad_recv: Access-Request packet from host 10.1.1.1 port 54251, id=6, length=94 User-Name = "username" User-Password = "USERPASSWD" NAS-IP-Address = 10.1.1.1 NAS-Port = 6 Service-Type = Dialout-Framed-User Calling-Station-Id = "10.1.1.10" NAS-Identifier = "OpenVpn" NAS-Port-Type = Virtual server mycompany-vpn-perso-ovpn { +- entering group authorize {...} ++[preprocess] returns ok ... [files_mycompany_vpn_perso_ovpn] users: Matched entry DEFAULT at line 2 ... ++[files_mycompany_vpn_perso_ovpn] returns ok ++- entering policy redundant {...} [ldap1] performing user authorization for username [ldap1] expand: %{Stripped-User-Name} -> [ldap1] expand: %{User-Name} -> username [ldap1] expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(MyCompany-AccountStatus=active)) -> (&(uid=username)(MyCompany-AccountStatus=active)) [ldap1] expand: dc=mycompany, dc=fr -> dc=mycompany, dc=fr .. rlm_ldap: extracted attribute Pool-Name from generic item Pool-Name:=Ovpn_Main_Pool [ldap1] Added User-Password = {MD5}/9sLgyXJRml0Lds4xd6rOg== in check items [ldap1] looking for check items in directory... rlm_ldap: mycompanyNTPassword -> NT-Password == 0xe0b531f2a8a5cb7ecd2b4951b1d79E1d [ldap1] looking for reply items in directory... [ldap1] user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap1] returns ok ++- policy redundant returns ok ... ==> Until this line everything is ok: the userPassword attribute is added to User-Password because I have the line "password_attribute = userPassword" uncommented in my ldap module setup. Note also that I have the password in NT-Hashed format as well, but I don't intend to use it in this particular authentication process. ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "USERPASSWD" [pap] Using clear text password "{MD5}/9sLgyXJRml0Lds4xd6rOg==" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. } # server mycompany-vpn-perso-ovpn Using Post-Auth-Type Reject ==> I have no reference to the User-Password attribute in my setup (either in the user "file" or in the radiusprofile taken from the ldap directory. It seems like the ldap module adds the User-Password attribute and then the PAP module decides to change it to Cleartext-Password instead of processing the auto_header feature and setting the MD5-Password. What do you think ? Is there somewhere in my setup where I could have broken the normal FR processing ? Many thanks in advance, Thibault
I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some authentications stop working. For these specific authentications the ldap module is used to retrieve the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is used to compare the passwords (auto_header is turned on in the pap module).
It doesn't look on. Post the debug of the server startup. Ivan Kalik Kalik Informatika ISP
Thanks a lot for your answer, tnt@kalik.net a écrit :
I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some authentications stop working. For these specific authentications the ldap module is used to retrieve the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is used to compare the passwords (auto_header is turned on in the pap module).
It doesn't look on. Post the debug of the server startup.
You're quite right, the pap module isn't instantiated with the expected values. Here the abstract of the starting block of the debug log: ------------- Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } ------------- I've searched and finally found out what occured. I'm using Fedora Core 9 and after the FR package update here is what occured: a lot of files including module files from the new RPM package were added as /etc/raddb/modules/<modulename>.rpmnew So at startup here is what is loaded: ... including configuration file /etc/raddb/modules/pap.rpmnew ... including configuration file /etc/raddb/modules/pap ... Most of my setup was working because I use specific instance of the modules such as "ldap-mycompany" and not the default "ldap" name. However, I use the std name for the pap module... I may change this in the future to avoid such issues after upgrade. I don't know if I should report this to the package maintainer or not. What do you think ? Again, thanks a lot for your help. Regards, Thibault
Thibault Le Meur wrote:
T I've searched and finally found out what occured. I'm using Fedora Core 9 and after the FR package update here is what occured: a lot of files including module files from the new RPM package were added as /etc/raddb/modules/<modulename>.rpmnew So at startup here is what is loaded: ... including configuration file /etc/raddb/modules/pap.rpmnew ... including configuration file /etc/raddb/modules/pap ...
Most of my setup was working because I use specific instance of the modules such as "ldap-mycompany" and not the default "ldap" name. However, I use the std name for the pap module... I may change this in the future to avoid such issues after upgrade.
I don't know if I should report this to the package maintainer or not. What do you think ?
I'm here :-) The files under /etc/raddb/modules are configuration files. Configuration files by definition are available for editing. It is usually considered bad practice for rpm during an upgrade to overwrite user modified configuration files. If rpm thinks a configuration file has been modified instead of overwriting the configuration file with the version from the new package it instead lays a new copy of that file down with the .rpmnew extension. It's your job as a system administrator to pay attention to the presence of .rpmnew files, during installation it will warn you such files were created which is your signal to investigate. If you miss the warnings you should still periodically check under /etc for the presence of .rpmnew files and .rpmsave by the same token. Now having said that, it's entirely possible there is a packaging problem and the .rpmnew files should not have been created, I'll go off and take a look at that issue. My recollection is that rpm is smart enough to detect the case where the old version of a config file differs from the new version but the old version was not locally edited. I believe this is case you're describing. In this instance rpm should replace the config files and not generate a .rpmnew. Did you edit the pap config file in any manner? -- John Dennis <jdennis@redhat.com>
John Dennis wrote:
Thibault Le Meur wrote:
T I've searched and finally found out what occured. I'm using Fedora Core 9 and after the FR package update here is what occured: a lot of files including module files from the new RPM package were added as /etc/raddb/modules/<modulename>.rpmnew So at startup here is what is loaded: ... including configuration file /etc/raddb/modules/pap.rpmnew ... including configuration file /etc/raddb/modules/pap ...
Most of my setup was working because I use specific instance of the modules such as "ldap-mycompany" and not the default "ldap" name. However, I use the std name for the pap module... I may change this in the future to avoid such issues after upgrade.
I don't know if I should report this to the package maintainer or not. What do you think ?
I'm here :-)
The files under /etc/raddb/modules are configuration files. Configuration files by definition are available for editing. It is usually considered bad practice for rpm during an upgrade to overwrite user modified configuration files. If rpm thinks a configuration file has been modified instead of overwriting the configuration file with the version from the new package it instead lays a new copy of that file down with the .rpmnew extension. It's your job as a system administrator to pay attention to the presence of .rpmnew files, during installation it will warn you such files were created which is your signal to investigate. If you miss the warnings you should still periodically check under /etc for the presence of .rpmnew files and .rpmsave by the same token.
Now having said that, it's entirely possible there is a packaging problem and the .rpmnew files should not have been created, I'll go off and take a look at that issue. My recollection is that rpm is smart enough to detect the case where the old version of a config file differs from the new version but the old version was not locally edited. I believe this is case you're describing. In this instance rpm should replace the config files and not generate a .rpmnew. Did you edit the pap config file in any manner?
I've looked at the packaging with respect to how the .rpmnew files are being handled and I believe everything is correct. What is probably missing is documentation on this so I've updated the FreeRADIUS Red Hat FAQ (http://wiki.freeradius.org/Red_Hat_FAQ) and added a section describing what happens to configuration files during a RPM upgrade (http://wiki.freeradius.org/Red_Hat_FAQ#How_are_configuration_files_handled_d...) FWIW, I also updated the FAQ to cover the some of the cases which confused a recent user who was attemping to build the RPM's locally on RHEL5. -- John Dennis <jdennis@redhat.com>
Hi John, Nice to meet you ;-) John Dennis a écrit : > John Dennis wrote: >> Thibault Le Meur wrote: >>> T >>> I've searched and finally found out what occured. I'm using Fedora >>> Core 9 and after the FR package update here is what occured: a lot >>> of files including module files from the new RPM package were added >>> as /etc/raddb/modules/<modulename>.rpmnew >>> So at startup here is what is loaded: >>> ... >>> including configuration file /etc/raddb/modules/pap.rpmnew >>> ... >>> including configuration file /etc/raddb/modules/pap >>> ... >>> >>> I don't know if I should report this to the package maintainer or not. >>> What do you think ? >> >> I'm here :-) >> >> The files under /etc/raddb/modules are configuration files. >> Configuration files by definition are available for editing. It is >> usually considered bad practice for rpm during an upgrade to >> overwrite user modified configuration files. I agree ;-) >> If rpm thinks a configuration file has been modified instead of >> overwriting the configuration file with the version from the new >> package it instead lays a new copy of that file down with the .rpmnew >> extension. I understand, and this runs great _for most other softwares because the xxx.rpmnew files are not read_ by the application at startup: * the applications are correctly updated, * the configuration files that were customized by the system administrator are not overwritten and are still read at the application startup, * _usually_ the updated applications are working well, despite having old configuration files. This is because new configuration files usually have new optional parameters (for which a default value is assumed by the application). However, as far as FR is concerned, all files in /etc/raddb/modules/ matching the regex /[a-zA-Z0-9_.]+/ are read, this includes any xxx.rpmnew file: In fact adding an xxx.rpmnew file in /etc/raddb/modules has the same effect as to modify the configuration files ! This will cause most Freeradius 2.x upgrades (using RPM) to end up with an updated server which is not working anymore >> It's your job as a system administrator to pay attention to the >> presence of .rpmnew files, during installation it will warn you such >> files were created which is your signal to investigate. This may mean that automatic updates of FR should be disabled by default in the OS, maybe in /etc/yum.conf for Fedora ? >> If you miss the warnings you should still periodically check under >> /etc for the presence of .rpmnew files and .rpmsave by the same token. No need to do this: I've been warned immediately by my users that the network access wasn't possible anymore ;-) >> >> Now having said that, it's entirely possible there is a packaging >> problem and the .rpmnew files should not have been created, I'll go >> off and take a look at that issue. My recollection is that rpm is >> smart enough to detect the case where the old version of a config >> file differs from the new version but the old version was not locally >> edited. I believe this is case you're describing. No, I've modified the old configuration file, the problem is that the .rpmnew files is read by the server at startup and thus this overwrites my old customizations. >> > I've looked at the packaging with respect to how the .rpmnew files are > being handled and I believe everything is correct. What is probably > missing is documentation on this so I've updated the FreeRADIUS Red > Hat FAQ (http://wiki.freeradius.org/Red_Hat_FAQ) and added a section > describing what happens to configuration files during a RPM upgrade > (http://wiki.freeradius.org/Red_Hat_FAQ#How_are_configuration_files_handled_during_an_RPM_upgrade.3F) > Thanks this is very valuable. Maybe 'we' should add a specific paragraph concerning /etc/raddb/modules configuration .rpmnew files as they are read by FR at startup? Do you want me to do so? Regards, Thibault
participants (3)
-
John Dennis -
Thibault Le Meur -
tnt@kalik.net