How to use different ldap-modules?

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Wed Jun 22 09:24:15 CEST 2005 

Hm,

I am really stuck :-(

Let me try to explain what I inted to do:

1.) PAP is just the clear-text password???
-> I thought pap is hashing the password with a challenge (MD-5). This 
means the client is then transmitting this Hash to the radius, which 
might hold the password in cleartext or as a MD-5-Hash as well. Either 
comparing the Hashes or the passwords.

So I want to the server to hold a crypted Password (MD-5) for PAP, but 
retrieving that from the ldap server.

2.) I do not want to do any binding to the ldap for authentication!
    I just want to retrieve the information from the ldap, but then 
authenticate only by the radius itself!!

3.) For authentication I want to provide PAP, CHAP, and PEAP+TLS using 
MsCHAPv2.
     
    How can I do that? If use the radiusd.conf as it comes the radius 
wants to use ldap for authentication.
    If I use the ldap-Authentication-module with the pap-instruction 
instead of ldap:

    authenticate {
...
          ldap {
             pap
          }
...
}

    it says "Login incorrect (rlm_pap: CRYPT password check failed)", 
but the password is correct, but not encrypted at the radius!!
-> CHAP works fine!
If I provide the encrypted password at the radius, PAP works fine (still 
trying ldap (i.e. PAP)) but CHAP fails, because the password do not 
match, of course not it is encrypted!!

So what can I do??

I have both the encrypted and the clear-text password, but I can not 
tell the radius what to use when?
Do I need a specific mapping in te ldap.attrmap? I map against the  
radius Password attribute, because this seems to be overruling everything!?!


Thanks
Florian



Alan DeKok wrote:

>Florian Prester <Florian.Prester at rrze.uni-erlangen.de> wrote:
>  
>
>>> Why?  Just use the clear-text password to do all of the
>>>authentication.  You're making work for yourself without any gain.
>>>      
>>>
>>But how can I do PAP with a clear-text password?
>>    
>>
>
>  Are you joking?  PAP *is* just the clear-text password!
>
>  
>
>>> You're listing EAP in that group.  DON'T.
>>>      
>>>
>>Sorry, didn`t wanna do that!
>>But I want to achieve that the authentication is first trying CHAP, then 
>>PAP and so on.
>>    
>>
>
>  Then use the default configuration.  IT WORKS.
>
>  
>
>>So how can I tell the radius to take the proper authentication and 
>>therefore a specific password using the LDAP profile?
>>    
>>
>
>  You don't.  The default configuration does this.
>
>  
>
>>In LDAP the clear-text password is given as well as the crypt one?
>>    
>>
>
>  Use the clear-text password.  It's all you need to get everything to
>work.
>
>  
>
>>I am sorry, if I am annoying you, but I am kind of confused and do not 
>>know what to do anymore.
>>    
>>
>
>  If you don't know what the configuration file does, make as FEW
>changes as possible.
>
>  All you need to do is take the default radiusd.conf, uncomment the
>references to "ldap", and configure the "ldap" module to point to your
>LDAP server.
>
>  What you did wrong was to make massive changes to the configuration
>file without really understanding what the changes meant.
>
>  Alan DeKok.
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>


-- 
--------------------------------------------------------------
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Germany

Tel.: +499131 8527813

More information about the Freeradius-Users mailing list