PAP authentication and multiple LDAP userpassword attributes
Hi, I'm working on upgrading from FR 1.1.7 to FR 2.1.3. I use FR for EAP-TTLS/PAP authentication with LDAP. FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword attributes which are stored with crypt and/or MD5 hash, the passwords are not the same (even it's better if the are) : ####################################################################### [...] rlm_ldap: performing user authorization for mylogin radius_xlat: '(&(uid=mylogin)(udsradiusProfileWifi=*))' radius_xlat: 'ou=people,o=annuaire' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=annuaire, with filter (&(uid=mylogin)(udsradiusProfileWifi=*)) rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, with filter (objectclass=radiusprofile) rlm_ldap: Added password {MD5}xxxxx in check items rlm_ldap: Added password {crypt}xxxxx in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user mylogin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "LDAP_OSIRIS" returns ok for request 29 modcall: leaving group LDAP_OSIRIS (returns ok) for request 29 rad_check_password: Found Auth-Type LDAP_OSIRIS auth: type "LDAP_OSIRIS" Processing the authenticate section of radiusd.conf modcall: entering group LDAP_OSIRIS for request 29 rlm_ldap: - authenticate rlm_ldap: login attempt by "saillard" with password "mycleartextpassword" rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ to ldaps://ldapuds.u-strasbg.fr rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mylogin authenticated succesfully [...] ####################################################################### Now with FR 2.1.3, it looks like only the first password attribute is used : ####################################################################### [...] [ldap] expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) -> (&(uid=mylogin)(udsradiusProfileWifi=*)) [ldap] expand: ou=people,o=annuaire -> ou=people,o=annuaire rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,o=annuaire, with filter (&(uid=mylogin)(udsradiusProfileWifi=*)) rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, with filter (objectclass=radiusprofile) [ldap] Added User-Password = {crypt}xxxxx in check items [ldap] Added User-Password = {MD5}xxxxx in check items [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] user mylogin authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group authenticate {...} [pap] login attempt with password "mycleartextpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match [...] ####################################################################### Is there a way to tell FR to try with others attributes ? My configuration is quite simple, here's my sites-enabled/proxy-inner-tunnel : server proxy-inner-tunnel { authorize { eap ldap pap } authenticate { eap pap } post-proxy { eap } } And the pap modules : pap { auto_header = yes } Any clue ? Thanks -- --------------------------- Christophe Saillard Université de Strasbourg Direction Informatique --------------------------- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 ---------------------------
Christophe Saillard wrote:
I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
I use FR for EAP-TTLS/PAP authentication with LDAP.
FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword attributes which are stored with crypt and/or MD5 hash, the passwords are not the same (even it's better if the are) :
No. In 1.1.7, the server is doing LDAP "bind as user" for authentication. It is *completely* ignoring the crypt/MD5 passwords. ...
rlm_ldap: Added password {MD5}xxxxx in check items rlm_ldap: Added password {crypt}xxxxx in check items ... Processing the authenticate section of radiusd.conf modcall: entering group LDAP_OSIRIS for request 29 rlm_ldap: - authenticate rlm_ldap: login attempt by "saillard" with password "mycleartextpassword" rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ to ldaps://ldapuds.u-strasbg.fr rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mylogin authenticated succesfully
See? LDAP "bind as user".
Now with FR 2.1.3, it looks like only the first password attribute is used :
In 2.1.3, the "bind as user" functionality isn't used if the LDAP server returns a "known good" password. ...
[ldap] Added User-Password = {crypt}xxxxx in check items [ldap] Added User-Password = {MD5}xxxxx in check items ... ++[pap] returns updated Found Auth-Type = PAP +- entering group authenticate {...} [pap] login attempt with password "mycleartextpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match
The solution is simple: (1) fix it so that the passwords are NOT returned from LDAP or (2) force "Auth-Type := LDAP" inside of the TTLS tunnel. This might break other things, but it will make the server work the same way as in 1.1.7. Alan DeKok.
participants (2)
-
Alan DeKok -
Christophe Saillard