Problem when removing Auth-Type := Ldap in users file
Hi, I am testing the freeradius server, and try to clarify rules applied in freeradius. In the following trials, I could not figure out how to make Autz-Type Ldap1 in authorize section to correctly set Auth-Type used in authentication without the help from "Auth-Type := Ldap1". With the following entry in users file, ************** DEFAULT Called-Station-Id =~ ".*Guest@myu", Autz-Type := Ldap1, Auth-Type := Ldap1 ************** the user authentication worked fine. Below is the debug output. ************** rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=19, length=98 User-Name = "tester" Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu" NAS-Port = 189 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "nortel" NAS-IP-Address = 192.168.1.113 User-Password = "testing" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu users: Matched entry DEFAULT at line 70 ++[files] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Autz-Type Ldap1 +- entering group Ldap1 ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for tester WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester) expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/unbCA.crt rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter (uid=tester) rlm_ldap: Added User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tester authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[myldap2] returns ok ++- redundant-load-balance group redundant-load-balance returns ok rad_check_password: Found Auth-Type Ldap1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! auth: type "Ldap1" +- entering group Ldap1 ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authenticate rlm_ldap: login attempt by "tester" with password "testing" rlm_ldap: user DN: uid=tester,ou=people,dc=myu,dc=ca rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 1 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as uid=tester,ou=people,dc=myu,dc=ca/testing to ldap.myu.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user tester authenticated succesfully +++[myldap2] returns ok ++- redundant-load-balance group redundant-load-balance returns ok Login OK: [tester] (from client unbsj113 port 189) Sending Access-Accept of id 19 to 192.168.1.113 port 20000 Finished request 0. Going to the next request Waking up in 0.8 seconds. Waking up in 4.1 seconds. Cleaning up request 0 ID 19 with timestamp +99 Ready to process requests. ************** However when I removed Auth-Type := Ldap1 in the entry, ************** DEFAULT Called-Station-Id =~ ".*Guest@myu", Autz-Type := Ldap1 ************** the user authentication failed. The Auth Type is set to Local instead of Ldap. Below is the debug output. ************** rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=20, length=98 User-Name = "tester" Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu" NAS-Port = 192 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "nortel" NAS-IP-Address = 192.168.1.113 User-Password = "testing" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "tester", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu users: Matched entry DEFAULT at line 71 ++[files] returns ok rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Autz-Type Ldap1 +- entering group Ldap1 ++- entering redundant-load-balance group redundant-load-balance rlm_ldap: - authorize rlm_ldap: performing user authorization for tester WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester) expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap2.myu.ca:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter (uid=tester) rlm_ldap: Added User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user tester authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[myldap] returns ok ++- redundant-load-balance group redundant-load-balance returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! auth: type Local auth: user supplied User-Password does NOT match local User-Password auth: Failed to validate the user. Login incorrect: [tester] (from client unbsj113 port 192) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 20 to 192.168.1.113 port 20000 Waking up in 4.9 seconds. Cleaning up request 0 ID 20 with timestamp +111 Ready to process requests. ************** In radiusd.conf, ldap myldap { server = "ldap2.myu.ca" identity = "uid=radius,dc=myu,dc=ca" password = PWD12345678 basedn = "ou=people,dc=myu,dc=ca" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no # cacertfile = /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt cacertfile = /usr/local/etc/raddb/certs/myuCA.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd require_cert = "never" } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = userPassword # password_header = "{clear}" edir_account_policy_check = no # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName groupmembership_attribute = eduPersonPrimaryAffiliation # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes set_auth_type = yes #ldap_debug = 0x0028 } ldap myldap2 { ... } authorize { ... Autz-Type Ldap1 { redundant-load-balance{ myldap myldap2 } } ... } authenticate { ... Auth-Type Ldap1 { redundant-load-balance{ myldap myldap2 } } ... } Thanks for your help! Andrew
Have you noticed some warnings about password attribute in the debug? Maybe using appropriate password attribute might help ;-) Ivan Kalik Kalik Informatika ISP Dana 7/2/2008, "cxu" <cxu@unbsj.ca> piše:
Hi,
I am testing the freeradius server, and try to clarify rules applied in freeradius. In the following trials, I could not figure out how to make Autz-Type Ldap1 in authorize section to correctly set Auth-Type used in authentication without the help from "Auth-Type := Ldap1".
With the following entry in users file,
**************
DEFAULT Called-Station-Id =~ ".*Guest@myu", Autz-Type := Ldap1, Auth-Type := Ldap1
**************
the user authentication worked fine.
Below is the debug output.
**************
rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=19, length=98
User-Name = "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu"
NAS-Port = 189
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
users: Matched entry DEFAULT at line 70
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tester
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/unbCA.crt
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap.myu.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter (uid=tester)
rlm_ldap: Added User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tester authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[myldap2] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
rad_check_password: Found Auth-Type Ldap1
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!
auth: type "Ldap1"
+- entering group Ldap1
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authenticate
rlm_ldap: login attempt by "tester" with password "testing"
rlm_ldap: user DN: uid=tester,ou=people,dc=myu,dc=ca
rlm_ldap: (re)connect to ldap.myu.ca:389, authentication 1
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as uid=tester,ou=people,dc=myu,dc=ca/testing to ldap.myu.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user tester authenticated succesfully
+++[myldap2] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
Login OK: [tester] (from client unbsj113 port 189)
Sending Access-Accept of id 19 to 192.168.1.113 port 20000
Finished request 0.
Going to the next request
Waking up in 0.8 seconds.
Waking up in 4.1 seconds.
Cleaning up request 0 ID 19 with timestamp +99
Ready to process requests.
**************
However when I removed Auth-Type := Ldap1 in the entry,
**************
DEFAULT Called-Station-Id =~ ".*Guest@myu", Autz-Type := Ldap1
**************
the user authentication failed. The Auth Type is set to Local instead of Ldap.
Below is the debug output.
**************
rad_recv: Access-Request packet from host 192.168.1.113 port 20000, id=20, length=98
User-Name = "tester"
Called-Station-Id = "00-1B-BA-A5-45-40:Guest@myu"
NAS-Port = 192
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "nortel"
NAS-IP-Address = 192.168.1.113
User-Password = "testing"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "tester", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
expand: %{Called-Station-Id} -> 00-1B-BA-A5-45-40:Guest@myu
users: Matched entry DEFAULT at line 71
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Autz-Type Ldap1
+- entering group Ldap1
++- entering redundant-load-balance group redundant-load-balance
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tester
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=tester)
expand: ou=people,dc=myu,dc=ca -> ou=people,dc=myu,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap2.myu.ca:389, authentication 0
rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/certs/myuCA.crt
rlm_ldap: setting TLS Require Cert to never
rlm_ldap: bind as uid=radius,dc=myu,dc=ca/PWD12345678 to ldap2.myu.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=myu,dc=ca, with filter (uid=tester)
rlm_ldap: Added User-Password = {SSHA}jSTYFonbXmIE6pReKdYUvq0RhxuhLUAT6FYcG== in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tester authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[myldap] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [tester] (from client unbsj113 port 192)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 20 to 192.168.1.113 port 20000
Waking up in 4.9 seconds.
Cleaning up request 0 ID 20 with timestamp +111
Ready to process requests.
**************
In radiusd.conf,
ldap myldap {
server = "ldap2.myu.ca"
identity = "uid=radius,dc=myu,dc=ca"
password = PWD12345678
basedn = "ou=people,dc=myu,dc=ca"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
cacertfile = /usr/local/etc/raddb/certs/myuCA.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
require_cert = "never"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
# password_header = "{clear}"
edir_account_policy_check = no
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
groupmembership_attribute = eduPersonPrimaryAffiliation
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
set_auth_type = yes
#ldap_debug = 0x0028
}
ldap myldap2 {
....
}
authorize {
....
Autz-Type Ldap1 {
redundant-load-balance{
myldap
myldap2
}
}
....
}
authenticate {
....
Auth-Type Ldap1 {
redundant-load-balance{
myldap
myldap2
}
}
....
}
Thanks for your help!
Andrew
Thank you, Ivan! You pointed out the part that I feel confused. A dumb question. How could I configure freeradius to replace User-Password in config items with Cleartext-Password? Thanks again!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !
-----Original Message----- From: freeradius-users-bounces+cxu=unbsj.ca@lists.freeradius.org [mailto:freeradius-users-bounces+cxu=unbsj.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Thursday, February 07, 2008 4:49 PM To: FreeRadius users mailing list Subject: Re: Problem when removing Auth-Type := Ldap in users file Have you noticed some warnings about password attribute in the debug? Maybe using appropriate password attribute might help ;-) Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
password_attibute in ldap section. But your password is not clear text. You might need to create an entry in ldap.attrmap for SHA-Password. You will be able to do pap requests but not much more with the password you are storing. Ivan Kalik Kalik Informatika ISP Dana 7/2/2008, "cxu" <cxu@unbsj.ca> piše:
Thank you, Ivan! You pointed out the part that I feel confused. A dumb question. How could I configure freeradius to replace User-Password in config items with Cleartext-Password?
Thanks again!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !
-----Original Message----- From: freeradius-users-bounces+cxu=unbsj.ca@lists.freeradius.org [mailto:freeradius-users-bounces+cxu=unbsj.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Thursday, February 07, 2008 4:49 PM To: FreeRadius users mailing list Subject: Re: Problem when removing Auth-Type := Ldap in users file
Have you noticed some warnings about password attribute in the debug? Maybe using appropriate password attribute might help ;-)
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have not found my way out yet. How does the ldap module in authorize section to set Auth-Type attribute to ldap? My initial thought is the ldap module in authorize section checks the User-Password attribute in the incoming Access-Request message, and if the password is in clear text then the ldap module will set the Auth-type to ldap. Am I right? Do I miss anything? Regarding password_attribute in ldap section, I am not sure whether the ldap module in authorize section really care about what password_attribute is when it comes to determine whether sets Auth-type to ldap or not. Does the freeradius server utilize password_attribute to know the attribute (or item?) which stores password on the LDAP server? Thanks!!! Quoting Ivan Kalik <tnt@kalik.net>:
password_attibute in ldap section. But your password is not clear text. You might need to create an entry in ldap.attrmap for SHA-Password. You will be able to do pap requests but not much more with the password you are storing.
Ivan Kalik Kalik Informatika ISP
Dana 7/2/2008, "cxu" <cxu@unbsj.ca> pi¹e:
Thank you, Ivan! You pointed out the part that I feel confused. A dumb question. How could I configure freeradius to replace User-Password in config items with Cleartext-Password?
Thanks again!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !
-----Original Message----- From: freeradius-users-bounces+cxu=unbsj.ca@lists.freeradius.org [mailto:freeradius-users-bounces+cxu=unbsj.ca@lists.freeradius.org] On Behalf Of Ivan Kalik Sent: Thursday, February 07, 2008 4:49 PM To: FreeRadius users mailing list Subject: Re: Problem when removing Auth-Type := Ldap in users file
Have you noticed some warnings about password attribute in the debug? Maybe using appropriate password attribute might help ;-)
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have not found my way out yet. How does the ldap module in authorize section to set Auth-Type attribute to ldap?
Read the comments in ldap section. You *will* find answers in there. There is a setting that controls whether Auth-Type ldap will be set if the password is found in the directory. Read the section and you will find it. I am not going to post that information here as well. Ivan Kalik Kalik Informatika ISP
participants (3)
-
cxu -
Ivan Kalik -
Xu, Chun