Using mschap authentication without EAP
Giuseppina Venezia
giusy.venezia at gmail.com
Thu Jul 20 21:35:21 CEST 2006
Here is mi slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#Aggiungiamo il livello di logging
loglevel 296
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#Direttive SSL
#TLSCipherSuite HIGH
#TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem
#TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key.pem
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=uniroma1,dc=it"
rootdn "cn=Manager,dc=uniroma1,dc=it"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data/uniroma1.it
mode 0600
# Indices to maintain
index objectClass eq,pres
index cn eq,pres
index uid eq,pres
index userPassword eq,pres
cachesize 2000
Thanks in advance
Giusy Venezia
On 7/20/06, Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
>
> > rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0,
> length=217
> > User-Name = "misterc"
> > CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
> > CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
> > NAS-IP-Address = 0.0.0.0
> > Service-Type = Login-User
> > Framed-IP-Address = 192.168.182.2
> > Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> > Called-Station-Id = "AA-AA-AA-AA-DD-AA"
> > NAS-Identifier = "nas01"
> > Acct-Session-Id = "44bfd15d00000000"
> > NAS-Port-Type = Wireless-802.11
> > NAS-Port = 0
> > Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
> > WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff"
> >
>
> > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize
> > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user
> authorization
> > for misterc
> > Thu Jul 20 20:54:50 2006 : Debug: radius_xlat: '(uid=misterc)'
> > Thu Jul 20 20:54:50 2006 : Debug:
> radius_xlat: 'ou=utenti,dc=XXXX,dc=it'
>
> Ok rlm_ldap is initialized
>
>
> > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
> 192.168.1.221:389
> > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result ...
> > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful
>
> bind to the directory is Ok
>
> > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in
> > ou=utenti,dc=XXXX,dc=it, with filter (uid=misterc)
> > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got
> > ambiguous search result
> > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed
>
> Ah...
> Seems that the used bound to the ldap directory can't find uid=misterc
> in ou=utenti,dc=XXXX,dc=it
>
>
> > Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method
> (Auth-Type)
> > configuration found for the request: Rejecting the user
>
> So Auth-Type isn't setted to Ldap
>
> > Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.
>
> This is logical
>
> > ldap {
> > server="192.168.1.221"
> > port="389"
> > basedn="ou=utenti,dc=uniroma1,dc=it"
> > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> > start_tls = no
> > access_attr = "uid"
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > authtype = ldap
> > ldap_connections_number = 5
> > password_header = "{SHA}"
> > password_attribute = userPassword
> > }
> > }
>
> Well isn't it a pb of rights ? Is the anonymous user able to search the
> openldap directory for users entries ?
>
> What is the result of a simple "ldapsearch" with the same ldap filter.
>
> > If you need any other information please ask us; sorry if we are boring
> you
> > but we are trying and trying without any significant result.
> > Thanks.
>
> Have you got ACLs in your openldap directory configuration files ?
>
> Regards,
> Thibault
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060720/79d27df2/attachment.html>
More information about the Freeradius-Users
mailing list