Hi, I tried to get this working also and I found that if you let the ldap module *not* check the password_header, then the password incl. the header is put in the User-Password attribute. If you then use auto_header = yes for the pap module, it should figure out automatically to do crypt... unless the uppercase CRYPT is causing issues... Here's some sample debug output to check your setup: [ldap] Password header not found in password {crypt}XXXXXXXXXXX for user test [ldap] Added User-Password = {crypt}XXXXXXXXXXX in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- group returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "xxxx" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok Regards, Thor.
----- Oorspronkelijk bericht ----- Van : wessam seleem [mailto:wessam.seleem@gmail.com] Verzonden : donderdag , september 24, 2009 02:16 PM Aan : tnt@kalik.net, 'FreeRadius users mailing list' Onderwerp : Re: "known good" error
Thanks Ivan for your reply. Here is the ldap configuration section:
ldap { server = "x.x.x.x" identity = "cn=username" password = password basedn = "ou=email,o=data,c=eg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_header = "{CRYPT}" ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5
tls { start_tls = no }
profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword }
and here is the debug message
++[ldap] returns ok Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0
Thanks for your support. Wessam
On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt@kalik.net> wrote:
I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X".
Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login.
Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear Thor and Ivan, Thanks for your support. I would like to notice that I have the same configuration in a server that has freeradius-1.1.7-1 installed and it is working fine. I want to upgrade. That is why I am testing freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1 and 2.1.6-2 configuration files that I should put it in my consideration? Thor, I don't have the same output in the debug mode. I have what you can see below: ++[ldap] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using clear text password "$5@Hfgusllj%$#kasjs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Dear Ivan and Thor, As you can see the problem that I am sending a clear text password and the radius doesn't convert it to encrypted one. I want my radius to take a clear text password and encrypt it then compare it with the encrypted one in my ldap. Please let me know if I should clarify more or if you need more info. Thanks again for your support. Regards, On Thu, Sep 24, 2009 at 3:05 PM, Thor Spruyt <thor.spruyt@telenet.be> wrote:
Hi,
I tried to get this working also and I found that if you let the ldap module *not* check the password_header, then the password incl. the header is put in the User-Password attribute. If you then use auto_header = yes for the pap module, it should figure out automatically to do crypt... unless the uppercase CRYPT is causing issues...
Here's some sample debug output to check your setup: [ldap] Password header not found in password {crypt}XXXXXXXXXXX for user test [ldap] Added User-Password = {crypt}XXXXXXXXXXX in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user test authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap] returns ok ++- group returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "xxxx" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok
Regards, Thor.
----- Oorspronkelijk bericht ----- Van : wessam seleem [mailto:wessam.seleem@gmail.com] Verzonden : donderdag , september 24, 2009 02:16 PM Aan : tnt@kalik.net, 'FreeRadius users mailing list' Onderwerp : Re: "known good" error
Thanks Ivan for your reply. Here is the ldap configuration section:
ldap { server = "x.x.x.x" identity = "cn=username" password = password basedn = "ou=email,o=data,c=eg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_header = "{CRYPT}" ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5
tls { start_tls = no }
profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword }
and here is the debug message
++[ldap] returns ok Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0
Thanks for your support. Wessam
On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt@kalik.net> wrote:
I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X".
Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login.
Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1 and 2.1.6-2 configuration files that I should put it in my consideration?
some very big differences. best thing to do is download 1.1.8 and 2.1.7 sources and compare the plain supplied config files that are in the raddb directory of the source - those will highlight the big changes - particularly the virtual server directives and the functions that have been put into module files seperately rather than all called in one massively monolithic radiusd.conf file alan
Dear Thor, I really appreciate your help. Dear Alan, I will put your comments in my consideration. I want to ask if there is a specific change in the ldap section configuration. I mean If I put the same configuration of the old radius in the new one in the right section will it work or there is some attributes that I should add? Regards, On Sun, Sep 27, 2009 at 6:06 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1 and 2.1.6-2 configuration files that I should put it in my consideration?
some very big differences.
best thing to do is download 1.1.8 and 2.1.7 sources and compare the plain supplied config files that are in the raddb directory of the source - those will highlight the big changes - particularly the virtual server directives and the functions that have been put into module files seperately rather than all called in one massively monolithic radiusd.conf file
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I will put your comments in my consideration. I want to ask if there is a specific change in the ldap section configuration. I mean If I put the same configuration of the old radius in the new one in the right section will it work or there is some attributes that I should add?
cant say - I dont 'do' LDAP - instead of running into this with guesswork why dont you look at the required conifguration files, see the differences and read the comments in those? if you want full support, Alan DeKok runs a commercial support business ;-) alan
I will put your comments in my consideration. I want to ask if there is a specific change in the ldap section configuration. I mean If I put the same configuration of the old radius in the new one in the right section will it work or there is some attributes that I should add?
Take ldap section from radiusd.conf in the old version and compare it to raddb/modules/ldap in the new one. Don't expect someone to compare them for you. Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alan Buxey -
Ivan Kalik -
Thor Spruyt -
wessam seleem