Freeradius and LDAP : to be continued
Christophe Gravier
christophe.gravier at univ-st-etienne.fr
Thu Dec 15 17:50:04 CET 2005
Seferovic Edvin wrote:
>Hi,
>
>rather confusing. I have to admit, I have never used chillispot, but I've
>just visited their website and in FAQ I found "Why should I use
>CHAP-Challenge and CHAP-Password?" so this makes me think that Chillispot
>uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
>authorisation, but as a password storage. Okay - great.. what now?
>
>
>
This is really good summary of the situation ;-)
>When you look at your radiusd.conf file there is a part where you can define
>your LDAP server etc..
>
>ldap ldap_users {
>
> server = "81.xxxxxxxxxx"
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "ou=People,dc=xxx,dc=xx"
> filter = "(&(objectClass=posixAccount)(uid=%u))"
>
> start_tls = no
>
> ......
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 10
> # password_header = "{clear}"
> password_attribute = userPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # access_attr_used_for_allow = yes
> }
>
>I hope you have that right ( this is only a part of my working config ).
>
>
I have :
ldap {
server = "my.server.name.here"
basedn = "ou=person,o=istase,c=fr"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
I think this shall be rather good since I can see it searching in ldap
log if I launch slapd in debug mode. (nentries = 1 : OK, it founds my
userPassword using this filter -my filter seems different from yours).
Also, the User-Password->userPassword mapping is done in ldap.attrmap in
my case.
>Next, what Alan said is to change the authorisation part. As I said -
>chillispot aparently wants CHAP, so in following section use CHAP
>
>authorize {
>
> # The chap module will set 'Auth-Type := CHAP' if we are
> # handling a CHAP request and Auth-Type has not already been set
> Chap
>
> # here you can also have
> ldap_users
> # for radtest to work ( IMHO it should be like this )
>}
>
>And in
>
>authenticate {
>
> # Most people want CHAP authentication
> # A back-end database listed in the 'authorize' section
> # MUST supply a CLEAR TEXT password. Encrypted passwords
> # won't work.
> Auth-Type CHAP {
> chap
> ldap_users
> }
>}
>
>As it says in authenticate section - passwords in LDAP should be in clear
>text...
>
>
My password are not stored in LDAP in clear text but hashed using SHA
algorythm, so this won't work ;-(
>Try this out. I cannot promise you that it will work, but it is the same way
>I have set up my POPTOP server with MS-CHAP, and it works.. I would also
>appreciate some guru to take a look at this and publish his opinion about
>this on this list ;)
>
>Kind regards,
>
>Edvin
>
>-----Original Message-----
>From: freeradius-users-bounces at lists.freeradius.org
>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
>Christophe Gravier
>Sent: Donnerstag, 15. Dezember 2005 16:41
>To: FreeRadius users mailing list
>Subject: Re: Freeradius and LDAP : to be continued
>
>Hello Edvin,
>
>First, I received my email posted to the list several times in my mail
>client.
>I higly hope this is not the case for all you ! (if it is, thunderbird
>didn't like to switch from the testing wireless network back to cable
>and vice versa, since they're all dated to the same hour....)
>If you received only one mail, it is OK, just forget what I told ;-)
>
>For what I am trying to do:
>I have an existing LDAP directory with all users being able to connect
>to the wireless area.
>
>The hotspot architecture is :
>
>client <-> chillispot (login page served with apache2 + ssl) <->
>freeradius <-> ldap.
>
>I just want my ldap users being able to connect to the hotspot.
>
>So, *at first*, I edited the conf file to let users be authenticate via
>LDAP.
>
>This way, radtest way just OK but not ChilliSpot. When I report it to
>the list, asking how radtest is different to chillispot login, Alan
>explained me:
>" You're using LDAP as an authentication server. Don't do that. Use LDAP
>to store passwords.
> i.e. remove the "ldap" entry from the "authenticate" section. Get
>radtest to work. Once that works, Chillispot will work, too."
>
>So I remove "ldap" from authentificate (I let it in authorize section
>thgouh).
>
>But it still doesn't solve the problem.
>
>In the end, Alan proposed to hack rlm_ldap.c to "have it *never* set
>Auth-Type to LDAP. That would solve a lot of problems."
>
>I just find it dirty to hack the radius then recompile to get ldap
>support :-(
>
>If you're using LDAP for your users accessing the hotspot, would you
>please tell me how you achieve this ?
>
>Best Regards,
>
>Seferovic Edvin wrote:
>
>
>
>>Hello,
>>
>>I must admit, I have been reading this thread, but I still do not
>>
>>
>understand
>
>
>>what Christophe is trying to accomplish. As far as I understand - you have
>>your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
>>authenticate users that are in your LDAP directory..
>>
>>Please correct me...
>>
>>Regards,
>>
>>Edvin
>>
>>-----Original Message-----
>>From: freeradius-users-bounces at lists.freeradius.org
>>[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
>>Christophe Gravier
>>Sent: Donnerstag, 15. Dezember 2005 16:05
>>To: FreeRadius users mailing list
>>Subject: Re: Freeradius and LDAP : to be continued
>>
>>Phil Mayers wrote:
>>
>>
>>
>>
>>
>>>Alan DeKok wrote:
>>>
>>>
>>>
>>>
>>>
>>>><christophe.gravier at univ-st-etienne.fr> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>rlm_ldap: Adding userPassword as User-Password, value { & op=11
>>>>>
>>>>>
>>>>>
>>>>>
>>>> That's better.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>modcall: group authorize returns ok for request 0
>>>>> rad_check_password: Found Auth-Type LDAP
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Yuck.
>>>>
>>>> My quick answer is to edit rlm_ldap.c to have it *never* set
>>>>Auth-Type to LDAP. That would solve a lot of problems.
>>>>
>>>>
>>>>
>>>>
>>>Interesting. I mentioned this to another querier the other day:
>>>
>>>
>>>
>>>
>>>
>>>
>>http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221
>>
>>
>.
>
>
>>html
>>
>>
>>
>>
>>Argggg. You lost me.
>>
>>Still not working.
>>I can't imagine I'm unable to make freeradius uses LDAP password without
>>hacking it :-/
>>
>>
>>
>>
>>
>>>What then would the authenticate section look like to use LDAP?
>>>Presumably something like:
>>>
>>>authenticate {
>>> Auth-Type PAP {
>>> ldap
>>> }
>>>}
>>>
>>>...but of course then you get into what happens if you want 2
>>>different services in the same server, such as:
>>>
>>>authenticate {
>>> Auth-Type PAP-service1 {
>>> ldap1
>>> }
>>> Auth-Type PAP-service2 {
>>> ldap2
>>> }
>>> Auth-Type MSCHAP-service1 {
>>> mschap1
>>> }
>>> Auth-Type MSCHAP-service2 {
>>> mschap2
>>> }
>>>}
>>>
>>>...etc. - nasty. Is it possible to do:
>>>
>>>authenticate {
>>> Huntgroup Service1 {
>>> Auth-Type PAP {
>>> ldap1
>>> }
>>> Auth-Type MSCHAP {
>>> mschap1
>>> }
>>> }
>>>
>>> Huntgroup Service2 {
>>> Auth-Type PAP {
>>> ldap2
>>> }
>>> Auth-Type MSCHAP {
>>> mschap2
>>> }
>>> }
>>>}
>>>
>>>...although "Realm" might make more sense than "Huntgroup" in
>>>understanding what I mean.
>>>
>>>There's also the possibility of wanting to use fallback:
>>>
>>>authenticate {
>>> Auth-Type PAP {
>>> ldap
>>> pap
>>> }
>>>}
>>>
>>>...although I'm pretty sure you can do that with configurable failover
>>>and the above syntax is wrong.
>>>- List info/subscribe/unsubscribe? See
>>>http://www.freeradius.org/list/users.html
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
More information about the Freeradius-Users
mailing list