Freeradius2 + LDAP of Lotus Notes
I have configured my Freeradius2 server to authenticate in an LDAP server that is used by Lotus Notes. I'm having a problem even though it bind successfully because there is no password attribute in the LDAP server of Lotus Notes. Does it mean that Lotus Notes doesn't store the password of its users in the LDAP server? -- View this message in context: http://old.nabble.com/Freeradius2-%2B-LDAP-of-Lotus-Notes-tp29426192p2942619... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 08/13/2010 08:14 AM, rrperez wrote:
I have configured my Freeradius2 server to authenticate in an LDAP server that is used by Lotus Notes.
I'm having a problem even though it bind successfully because there is no password attribute in the LDAP server of Lotus Notes. Does it mean that Lotus Notes doesn't store the password of its users in the LDAP server?
Perhaps. It might be that your bind DN doesn't have permissions to read/see the attribute. Best talk to your LDAP directory / Notes administrators.
I have configured the /etc/raddb/modules/ldap and added an identity (although I don't if it works), but still it can't find a password for the user. Here is the debug: rad_recv: Access-Request packet from host 127.0.0.1 port 37784, id=118, length=63 User-Name = "kim.almarez" User-Password = "k1m.alma" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to notes2.ho.sm.ph:389, authentication 0 rlm_ldap: bind as CN=Administrator,O=SMPRIME/ to notes2.ho.sm.ph:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kim.almarez attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 118 to 127.0.0.1 port 37784 Waking up in 4.9 seconds. Cleaning up request 0 ID 118 with timestamp +2 Ready to process requests. I guess rlm_ldap can't find a password attribute on the ldap of Lotus Notes. -- View this message in context: http://old.nabble.com/Freeradius2-%2B-LDAP-of-Lotus-Notes-tp29426192p2942669... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Fri, Aug 13, 2010 at 3:36 PM, rrperez <rrperez@apc.edu.ph> wrote:
I have configured the /etc/raddb/modules/ldap and added an identity (although I don't if it works), but still it can't find a password for the user.
I guess rlm_ldap can't find a password attribute on the ldap of Lotus Notes.
Because there's no attribute in Lotus Domino's schema that has stores plain, unencrypted user password. A similar case is when you want to use Active Directory. You can't use rlm_ldap directly because AD does not give away plain, unencrypted user password, so you need a workaround using Samba. No such workaround exists for Lotus Domino though. That's how some company make money btw, selling a combination of "access control" appliance and client for Windows, which basically (in this purpose) allows Windows to use PEAP-GTC. There's some free wpa supplicant client for Windows which allows you to use PEAP-GTC (use at your own risk): http://open1x.sourceforge.net/ http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_s... -- Fajar
I have configured the /etc/raddb/modules/ldap and added an identity (although I don't if it works), but still it can't find a password for the user. Here is the debug: rad_recv: Access-Request packet from host 127.0.0.1 port 37784, id=118, length=63 User-Name = "kim.almarez" User-Password = "k1m.alma" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to notes2.ho.sm.ph:389, authentication 0 rlm_ldap: bind as CN=Administrator,O=SMPRIME/ to notes2.ho.sm.ph:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kim.almarez attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 118 to 127.0.0.1 port 37784 Waking up in 4.9 seconds. Cleaning up request 0 ID 118 with timestamp +2 Ready to process requests. I guess rlm_ldap can't find a password attribute on the ldap of Lotus Notes. -- View this message in context: http://old.nabble.com/Freeradius2-%2B-LDAP-of-Lotus-Notes-tp29426192p2942670... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I'm having a problem even though it bind successfully because there is no password attribute in the LDAP server of Lotus Notes. Does it mean that Lotus Notes doesn't store the password of its users in the LDAP server?
A more accurate description is that Lotus Domino encrypts the password in a non-standard way. You could still use it for authentication though. Look at /etc/raddb/sites-enabled/default, and you should see something like this # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap } For that to work, you need to have client supply plain-text password. Which means MSCHAP or EAP-MSCHAPv2 won't work. EAP-GTC could work though, with a little effort. -- Fajar
Thanks for the quick response Phil. To Fajar, I have set up the server to do authentication on a wireless network, making the EAP/MS-CHAPv2 not work will fail the authentications for all my microsoft platform clients. Thanks for the response also. -- View this message in context: http://old.nabble.com/Freeradius2-%2B-LDAP-of-Lotus-Notes-tp29426192p2942655... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Fajar A. Nugraha -
Phil Mayers -
rrperez