Freeradius and LDAP : to be continued

Christophe Gravier christophe.gravier at univ-st-etienne.fr
Fri Dec 16 11:14:38 CET 2005


Christophe Gravier wrote:

> Phil Mayers wrote:
>
>> Christophe Gravier wrote:
>>
>>>>
>>> My password are not stored in LDAP in clear text but hashed using 
>>> SHA algorythm, so this won't work ;-(
>>
>>
>>
>>
>> Ok, let's take a breath. First things first:
>>
>> If your passwords are in SHA (which they are) your Radius server will 
>> ONLY be able to answer PAP requests.
>>
>> The very first log you sent in this thread indicates you have 
>> ChilliSpot set to use CHAP:
>>
>>
>> rlm_ldap: - authenticate
>> rlm_ldap: Attribute "User-Password" is required for authentication. 
>> Cannot use "CHAP-Password".
>>  modcall[authenticate]: module "ldap" returns invalid for request 0
>> modcall: group Auth-Type returns invalid for request 0
>> auth: Failed to validate the user.
>>
>> '''"Cannot use "CHAP-Password"''' - indicates the request (from 
>> ChilliSpot) came in with CHAP credentials.
>>
>> First, fix that. See here:
>>
>> http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
>>
>>
>>
>> Next, since you have SHA passwords and can only answer PAP, you have 
>> two choices:
>>
>>  1. Extract the SHA password and add it to the config items, then 
>> configure the Radius servers PAP module to check it:
>>
>> modules {
>>   pap {
>>     encryption_scheme = sha1
>>   }
>>   ldap {
>>     # settings go here
>>   }
>> }
>>
>> authorize {
>>   preprocess
>>   ldap
>> }
>> authenticate {
>>   Auth-Type PAP {
>>     pap
>>   }
>> }
>>
>> HOWEVER - this may not work. The "SHA" that your LDAP server uses may 
>> be slightly different (salting, keying) than the SHA FreeRadius uses.
>>
>> Much more likely to trip you up though, is when "ldap" matches in 
>> authorize, it will set Auth-Type = LDAP, so you either need to 
>> disable that or otherwise "make it work" and there are about 6 
>> different ways of doing that. The most obvious would be to replace 
>> the above with:
>>
>> modules { as before }
>> authorize { as before }
>> authenticate {
>>   Auth-Type LDAP {
>>     pap
>>   }
>> }
>>
>
> I want to make "set Auth-Type = LDAP" working by making this Auth-Type 
> use the pap configuration. (correct me If I'm wrong).
>
> I followed what you advises:
> - configure chilli uamsecret and uampassword)
> - put pap configuration in module section
> - check ldap configration in module
> - put ldap in authorize
> - put Auth-Type LDAP {  pap  } in authentificate.
>
> Now things got through pap indeed, but I'm told:
> rlm_pap: No password (or empty password) to check against for for user 
> gravier.christophe
>
> I think I totally misunderstand your sentence: "Extract the SHA 
> password and add it to the config items". I thought it means to add 
> the mapping "checkItem User-Password userPassword" in ldap.attrmap 
> (where userPassword is my attribute for SHA password). As it didn't 
> work I used the "password_attribute" conf entry in ldap configuration 
> (module section), but as I expected it has the same consequence.
>
> Could you please, be more precise about the extraction of SHA password 
> ? Is there an additional conf entry for pap in module section ?
>
> Here is the complete trace:
>
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, 
> authentication 0
> rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter 
> (uid=gravier.christophe)
> rlm_ldap: checking if remote access for gravier.christophe is allowed 
> by uid
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user gravier.christophe authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>  modcall[authorize]: module "ldap" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>    rlm_realm: No '@' in User-Name = "gravier.christophe", looking up 
> realm NULL
>    rlm_realm: No such realm "NULL"
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 0
>    users: Matched entry DEFAULT at line 158
>  modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
>  rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
>  Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_pap: login attempt by "gravier.christophe" with password < here 
> the trace prints my password in plain text, normal ? >
> rlm_pap: No password (or empty password) to check against for for user 
> gravier.christophe
>  modcall[authenticate]: module "pap" returns invalid for request 0
> modcall: group Auth-Type returns invalid for request 0
> auth: Failed to validate the user.
> Delaying request 0 for 1 seconds
> Finished request 0
>
>
>> But it might not work. Alternatively and probably simpler (but less 
>> formally correct) is the 2nd method:
>>
>>  2. Configure the LDAP module to find the user, set Auth-Type==LDAP 
>> then authenticate the user via simple bind:
>>
>> authorize {
>>   preprocess
>>   ldap
>> }
>> authenticate {
>>   Auth-Type LDAP {
>>     ldap
>>   }
>> }
>>
>> ...and assuming the "ldap" modules is setup correctly, what will 
>> happen is:
>>
>> A. authorize called
>>  1. preprocess called
>>  2. suffix realm called - no-op probably
>>  3. files called - no-op probably but DO NOT SET Auth-Type
>>  4. ldap called - search succeeds, and "Ldap-UserDN" is set, and 
>> "Auth-Type" set to "LDAP"
>>
>> B. authenticate called
>>  1. Auth-Type == LDAP, so "ldap" called and simple bind performed
>>

oOps I miss the last part of the previous mail:

BTW, The second method *DOES* work ;-)
Thank you Phil, my captive portal is now working using LDAP at last :-)
(My question about method 1 is about understanding)

>> And it WILL WORK.
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>
>


-- 
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html




More information about the Freeradius-Users mailing list