Freeradius and LDAP : to be continued
Seferovic Edvin
edvin.seferovic at kolp.at
Thu Dec 15 17:10:57 CET 2005
Hi,
rather confusing. I have to admit, I have never used chillispot, but I've
just visited their website and in FAQ I found "Why should I use
CHAP-Challenge and CHAP-Password?" so this makes me think that Chillispot
uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
authorisation, but as a password storage. Okay - great.. what now?
When you look at your radiusd.conf file there is a part where you can define
your LDAP server etc..
ldap ldap_users {
server = "81.xxxxxxxxxx"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "ou=People,dc=xxx,dc=xx"
filter = "(&(objectClass=posixAccount)(uid=%u))"
start_tls = no
......
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 10
# password_header = "{clear}"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
I hope you have that right ( this is only a part of my working config ).
Next, what Alan said is to change the authorisation part. As I said -
chillispot aparently wants CHAP, so in following section use CHAP
authorize {
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
Chap
# here you can also have
ldap_users
# for radtest to work ( IMHO it should be like this )
}
And in
authenticate {
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
ldap_users
}
}
As it says in authenticate section - passwords in LDAP should be in clear
text...
Try this out. I cannot promise you that it will work, but it is the same way
I have set up my POPTOP server with MS-CHAP, and it works.. I would also
appreciate some guru to take a look at this and publish his opinion about
this on this list ;)
Kind regards,
Edvin
-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:41
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued
Hello Edvin,
First, I received my email posted to the list several times in my mail
client.
I higly hope this is not the case for all you ! (if it is, thunderbird
didn't like to switch from the testing wireless network back to cable
and vice versa, since they're all dated to the same hour....)
If you received only one mail, it is OK, just forget what I told ;-)
For what I am trying to do:
I have an existing LDAP directory with all users being able to connect
to the wireless area.
The hotspot architecture is :
client <-> chillispot (login page served with apache2 + ssl) <->
freeradius <-> ldap.
I just want my ldap users being able to connect to the hotspot.
So, *at first*, I edited the conf file to let users be authenticate via
LDAP.
This way, radtest way just OK but not ChilliSpot. When I report it to
the list, asking how radtest is different to chillispot login, Alan
explained me:
" You're using LDAP as an authentication server. Don't do that. Use LDAP
to store passwords.
i.e. remove the "ldap" entry from the "authenticate" section. Get
radtest to work. Once that works, Chillispot will work, too."
So I remove "ldap" from authentificate (I let it in authorize section
thgouh).
But it still doesn't solve the problem.
In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set
Auth-Type to LDAP. That would solve a lot of problems."
I just find it dirty to hack the radius then recompile to get ldap
support :-(
If you're using LDAP for your users accessing the hotspot, would you
please tell me how you achieve this ?
Best Regards,
Seferovic Edvin wrote:
>Hello,
>
>I must admit, I have been reading this thread, but I still do not
understand
>what Christophe is trying to accomplish. As far as I understand - you have
>your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
>authenticate users that are in your LDAP directory..
>
>Please correct me...
>
>Regards,
>
>Edvin
>
>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
>Christophe Gravier
>Sent: Donnerstag, 15. Dezember 2005 16:05
>To: FreeRadius users mailing list
>Subject: Re: Freeradius and LDAP : to be continued
>
>Phil Mayers wrote:
>
>
>
>>Alan DeKok wrote:
>>
>>
>>
>>><christophe.gravier at univ-st-etienne.fr> wrote:
>>>
>>>
>>>
>>>>rlm_ldap: Adding userPassword as User-Password, value { & op=11
>>>>
>>>>
>>> That's better.
>>>
>>>
>>>
>>>>modcall: group authorize returns ok for request 0
>>>> rad_check_password: Found Auth-Type LDAP
>>>>
>>>>
>>> Yuck.
>>>
>>> My quick answer is to edit rlm_ldap.c to have it *never* set
>>>Auth-Type to LDAP. That would solve a lot of problems.
>>>
>>>
>>Interesting. I mentioned this to another querier the other day:
>>
>>
>>
>>
>http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221
.
>html
>
>
>
>
>Argggg. You lost me.
>
>Still not working.
>I can't imagine I'm unable to make freeradius uses LDAP password without
>hacking it :-/
>
>
>
>>What then would the authenticate section look like to use LDAP?
>>Presumably something like:
>>
>>authenticate {
>> Auth-Type PAP {
>> ldap
>> }
>>}
>>
>>...but of course then you get into what happens if you want 2
>>different services in the same server, such as:
>>
>>authenticate {
>> Auth-Type PAP-service1 {
>> ldap1
>> }
>> Auth-Type PAP-service2 {
>> ldap2
>> }
>> Auth-Type MSCHAP-service1 {
>> mschap1
>> }
>> Auth-Type MSCHAP-service2 {
>> mschap2
>> }
>>}
>>
>>...etc. - nasty. Is it possible to do:
>>
>>authenticate {
>> Huntgroup Service1 {
>> Auth-Type PAP {
>> ldap1
>> }
>> Auth-Type MSCHAP {
>> mschap1
>> }
>> }
>>
>> Huntgroup Service2 {
>> Auth-Type PAP {
>> ldap2
>> }
>> Auth-Type MSCHAP {
>> mschap2
>> }
>> }
>>}
>>
>>...although "Realm" might make more sense than "Huntgroup" in
>>understanding what I mean.
>>
>>There's also the possibility of wanting to use fallback:
>>
>>authenticate {
>> Auth-Type PAP {
>> ldap
>> pap
>> }
>>}
>>
>>...although I'm pretty sure you can do that with configurable failover
>>and the above syntax is wrong.
>>- List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>>
>>
>>
>
>
>
>
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list