Re: ldap - edirectory authentication
Look in the configure script, or maybe try ./configure --help. Else the config options are probably listed in one of the readme's. ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org <freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org> To: 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Sent: Fri Dec 10 08:54:18 2010 Subject: RE: ldap - edirectory authentication Not too sure. We've looked thru all the conf's. Where would I look? robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640
Gary Gatten <Ggatten@waddell.com> 12/10/2010 7:37 AM >>> It’s a configure flag no?
________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Robert Koskey Sent: Friday, December 10, 2010 8:30 AM To: FreeRadius users mailing list Subject: Re: ldap - edirectory authentication We really aren't too sure about that. We just installed it from the media that OpenSuse 11.3 came with. We have noticed the bit about the --with-edir but even when we downloaded and compiled the FR 2.1.10 (latest) we didn't see how we could install with that option. If you know, please shed some light. thanks, Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640
Peter Lambrechtsen <plambrechtsen@gmail.com> 12/9/2010 3:48 PM >>> You may need to comment out the logintime and pap sections, since this isn't a pap authentication.
It seems like the password is being correctly extracted out of eDirectory using Universal Password, but are you sure that's properly configured in the build version of FreeRadius? On Fri, Dec 10, 2010 at 11:40 AM, Robert Koskey <rkoskey@rockyview.ab.ca<mailto:rkoskey@rockyview.ab.ca>> wrote: Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting. It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed. The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens. Any help or suggestions would be greatly appreciated. The set up is: OpenSuse 11.0 FreeRadius 2.0.5 We have tried: OpenSuse 11.3 FreeRadius 2.1.9 (same result) rad_recv: Access-Request packet from host 10.215.10.100 port 34806, id=218, length=199 User-Name = "jordanhkaltenbruner" NAS-IP-Address = 10.200.8.30 NAS-Port = 2 NAS-Identifier = "10.215.10.99" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "78CA39B5D3E5" Called-Station-Id = "000B8661AC58" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572 Aruba-Essid-Name = "SCHS-Student" Aruba-Location-Id = "SpringbankW2-9" Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@'<mailto:%27@%27> in User-Name = "jordanhkaltenbruner", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for jordanhkaltenbruner WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=jordanhkaltenbruner) expand: ou=springhigh_lab,o=springhigh -> ou=springhigh_lab,o=springhigh rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.215.0.3:636<http://10.215.0.3:636>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=admin,o=springhigh/???? to 10.215.0.3:636<http://10.215.0.3:636> rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner) rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jordanhkaltenbruner authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> jordanhkaltenbruner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 218 to 10.215.10.100 port 34806 Finished request 0. Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
thanks, I'll try that. robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640
Gary Gatten <Ggatten@waddell.com> 12/10/2010 7:59 AM >>> Look in the configure script, or maybe try ./configure --help. Else the config options are probably listed in one of the readme's.
From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org <freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org> To: 'FreeRadius users mailing list' <freeradius-users@lists.freeradius.org> Sent: Fri Dec 10 08:54:18 2010 Subject: RE: ldap - edirectory authentication Not too sure. We've looked thru all the conf's. Where would I look? robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640
Gary Gatten <Ggatten@waddell.com> 12/10/2010 7:37 AM >>>
It’s a configure flag no? From:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Robert Koskey Sent: Friday, December 10, 2010 8:30 AM To: FreeRadius users mailing list Subject: Re: ldap - edirectory authentication We really aren't too sure about that. We just installed it from the media that OpenSuse 11.3 came with. We have noticed the bit about the --with-edir but even when we downloaded and compiled the FR 2.1.10 (latest) we didn't see how we could install with that option. If you know, please shed some light. thanks, Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640
Peter Lambrechtsen <plambrechtsen@gmail.com> 12/9/2010 3:48 PM >>> You may need to comment out the logintime and pap sections, since this isn't a pap authentication.
It seems like the password is being correctly extracted out of eDirectory using Universal Password, but are you sure that's properly configured in the build version of FreeRadius? On Fri, Dec 10, 2010 at 11:40 AM, Robert Koskey <rkoskey@rockyview.ab.ca> wrote: Can anyone help? We are trying to do a ldap authentication from novell's edirectory to an Aruba controller for wireless access. These are the error's we are getting. It used to work perfectly but the original radius server blew up. We installed a new one with the same configuration and it doesn't work. The problem areas are bold'ed. The problem seems to occur after the ldap authentication. I don't think we are entirely clear about the order in which the whole process happens. Any help or suggestions would be greatly appreciated. The set up is: OpenSuse 11.0 FreeRadius 2.0.5 We have tried: OpenSuse 11.3 FreeRadius 2.1.9 (same result) rad_recv: Access-Request packet from host 10.215.10.100 port 34806, id=218, length=199 User-Name = "jordanhkaltenbruner" NAS-IP-Address = 10.200.8.30 NAS-Port = 2 NAS-Identifier = "10.215.10.99" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "78CA39B5D3E5" Called-Station-Id = "000B8661AC58" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02010018016a6f7264616e686b616c74656e6272756e6572 Aruba-Essid-Name = "SCHS-Student" Aruba-Location-Id = "SpringbankW2-9" Message-Authenticator = 0x4542e9b98b5978ca1ca52b7617910620 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' ( mailto:%27@%27 ) in User-Name = "jordanhkaltenbruner", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for jordanhkaltenbruner WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=jordanhkaltenbruner) expand: ou=springhigh_lab,o=springhigh -> ou=springhigh_lab,o=springhigh rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.215.0.3:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=admin,o=springhigh/???? to 10.215.0.3:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=springhigh_lab,o=springhigh, with filter (uid=jordanhkaltenbruner) rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jordanhkaltenbruner authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: No clear-text password in the request. Not performing PAP. ++[pap] returns noop auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> jordanhkaltenbruner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 218 to 10.215.10.100 port 34806 Finished request 0. Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640 _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed. "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed.
On Sat, Dec 11, 2010 at 3:59 AM, Gary Gatten <Ggatten@waddell.com> wrote:
Look in the configure script, or maybe try ./configure --help. Else the config options are probably listed in one of the readme's.
Yes it's a configure switch when you compile FR. I would assume that since it's a version distributed with SLES (I would assume OpenSUSE would be the same), but can check in the srpm to make sure it's in there. But I would be surprised if it wasn't. The main things to be sure is your Universal Password policy assigned to your users allows Admin's (or a specific user) to retreieve the User's password, and that the service account you use to bind to eDirectory in FR is one of those accounts. And that you are binding over LDAPS (SSL) on port 636 typlically. Which may require you to import in the LDAP Server's CA Cert into the certificate keystore in the LDAP SSL Config.
Peter Lambrechtsen <plambrechtsen@gmail.com> wrote:
On Sat, Dec 11, 2010 at 3:59 AM, Gary Gatten <Ggatten@waddell.com> wrote:
Look in the configure script, or maybe try ./configure --help. Else the config options are probably listed in one of the readme's.
Yes it's a configure switch when you compile FR.
I would assume that since it's a version distributed with SLES (I would assume OpenSUSE would be the same), but can check in the srpm to make sure it's in there. But I would be surprised if it wasn't.
The main things to be sure is your Universal Password policy assigned to your users allows Admin's (or a specific user) to retreieve the User's password, and that the service account you use to bind to eDirectory in FR is one of those accounts. And that you are binding over LDAPS (SSL) on port 636 typlically. Which may require you to import in the LDAP Server's CA Cert into the certificate keystore in the LDAP SSL Config.
Am I missing something obvious but in the original post was: ---- rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password ---- We are ourselves condemned to hell to and are forced to use Novell but all this UP malarkey works for us just fine. The OP obviously has already enabled universal password according to the debugging message, a five second look at the source code also confirms this: https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_l... Of course I have no idea why the Cleartext-Password attribute is disappearing after passing through authorize/ldap before it gets to pap/chap/mschap but I cannot see the OP's config. The problem seems not not to be a flag at compile time, it's a configuration problem. Cheers -- Alexander Clouter .sigmonster says: No purchase necessary.
Thanks for everyone's help on this. We got it to work, now using eap-peap. We truly believe it was using mschapv2 before, but cannot prove that to ourselves. Everytime something changes we learn much more than we knew before, so I guess that's a good thing. thanks again. robert Robert Koskey, Systems and Network Manager Rocky View Schools Telephone: 403-945-4080 Cell: 403-988-4640
Alexander Clouter <alex@digriz.org.uk> 12/11/2010 4:35 AM >>> Peter Lambrechtsen <plambrechtsen@gmail.com> wrote:
On Sat, Dec 11, 2010 at 3:59 AM, Gary Gatten <Ggatten@waddell.com> wrote:
Look in the configure script, or maybe try ./configure --help. Else the config options are probably listed in one of the readme's.
Yes it's a configure switch when you compile FR.
I would assume that since it's a version distributed with SLES (I would assume OpenSUSE would be the same), but can check in the srpm to make sure it's in there. But I would be surprised if it wasn't.
The main things to be sure is your Universal Password policy assigned to your users allows Admin's (or a specific user) to retreieve the User's password, and that the service account you use to bind to eDirectory in FR is one of those accounts. And that you are binding over LDAPS (SSL) on port 636 typlically. Which may require you to import in the LDAP Server's CA Cert into the certificate keystore in the LDAP SSL Config.
Am I missing something obvious but in the original post was: ---- rlm_ldap: Added the eDirectory password 51601222 in check items as Cleartext-Password ---- We are ourselves condemned to hell to and are forced to use Novell but all this UP malarkey works for us just fine. The OP obviously has already enabled universal password according to the debugging message, a five second look at the source code also confirms this: https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_l... Of course I have no idea why the Cleartext-Password attribute is disappearing after passing through authorize/ldap before it gets to pap/chap/mschap but I cannot see the OP's config. The problem seems not not to be a flag at compile time, it's a configuration problem. Cheers -- Alexander Clouter .sigmonster says: No purchase necessary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________________ This communication is intended for the use of the recipient to which it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communication received in error, or subsequent reply, should be deleted or destroyed.
participants (4)
-
Alexander Clouter -
Gary Gatten -
Peter Lambrechtsen -
Robert Koskey