Using mschap authentication without EAP

Giuseppina Venezia giusy.venezia at gmail.com
Thu Jul 20 21:45:13 CEST 2006 

Sorry,
"dc=xxxx,dc=it" is the correct not "dc=uniroma1,dc=it" as appear in the
other configuration file.

Giusy Venezia

On 7/20/06, Giuseppina Venezia <giusy.venezia at gmail.com> wrote:
>
> Here is mi slapd.conf
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> include         /usr/local/etc/openldap/schema/samba.schema
> include         /usr/local/etc/openldap/schema/RADIUS-LDAPv3.schema
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
>
> #Aggiungiamo il livello di logging
> loglevel        296
> pidfile         /usr/local/var/run/slapd.pid
> argsfile        /usr/local/var/run/slapd.args
>
> #Direttive SSL
> #TLSCipherSuite HIGH
> #TLSCertificateFile /usr/local/etc/openldap/slapd-cert.pem
> #TLSCertificateKeyFile /usr/local/etc/openldap/slapd- key.pem
> # Load dynamic backend modules:
> # modulepath    /usr/local/libexec/openldap
> # moduleload    back_bdb.la
> # moduleload    back_ldap.la
> # moduleload    back_ldbm.la
> # moduleload    back_passwd.la
> # moduleload    back_shell.la
>
> # Sample security restrictions
> #       Require integrity protection (prevent hijacking)
> #       Require 112-bit (3DES or better) encryption for updates
> #       Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> #       Root DSE: allow anyone to read it
> #       Subschema (sub)entry DSE: allow anyone to read it
> #       Other DSEs:
> #               Allow self write access
> #               Allow authenticated users read access
> #               Allow anonymous users to authenticate
> #       Directives needed to implement policy:
> # access to dn.base= "" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> #       by self write
> #       by users read
> #       by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn.  (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> #######################################################################
> # BDB database definitions
> #######################################################################
>
> database        bdb
> suffix          "dc=xxxx,dc=it"
> rootdn          "cn=Manager,dc=xxxx,dc=it"
> # Cleartext passwords, especially for the rootdn, should
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw  {SSHA}gUlr8Lqr7eYgfSti9+Dl76lbkbgK3fqc
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory       /usr/local/var/openldap-data/xxxx.it
> mode 0600
> # Indices to maintain
> index   objectClass     eq,pres
> index   cn              eq,pres
> index   uid             eq,pres
> index   userPassword    eq,pres
> cachesize       2000
>
> Thanks in advance
> Giusy Venezia
>
>
> On 7/20/06, Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
> >
> > > rad_recv: Access-Request packet from host 127.0.0.1:32801, id=0,
> > length=217
> > >        User-Name = "misterc"
> > >        CHAP-Challenge = 0xa26932d73791f27d1314426f740ab34e
> > >        CHAP-Password = 0x002e07a2cc1f27e7fbd22e7bb3721a3986
> > >        NAS-IP-Address = 0.0.0.0
> > >        Service-Type = Login-User
> > >        Framed-IP-Address = 192.168.182.2
> > >        Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
> > >        Called-Station-Id = "AA-AA-AA-AA-DD-AA"
> > >        NAS-Identifier = "nas01"
> > >        Acct-Session-Id = "44bfd15d00000000"
> > >        NAS-Port-Type = Wireless-802.11
> > >        NAS-Port = 0
> > >        Message-Authenticator = 0xf61479bee3c987c66cca254dcfa39c0a
> > >        WISPr-Logoff-URL = " http://192.168.182.1:3990/logoff"
> > >
> >
> > > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: - authorize
> > > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: performing user
> > authorization
> > > for misterc
> > > Thu Jul 20 20:54:50 2006 : Debug: radius_xlat:  '(uid=misterc)'
> > > Thu Jul 20 20:54:50 2006 : Debug:
> > radius_xlat:  'ou=utenti,dc=XXXX,dc=it'
> >
> > Ok rlm_ldap is initialized
> >
> >
> > > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: bind as / to
> > 192.168.1.221:389
> > > Thu Jul 20 20:54:50 2006 : Debug: rlm_ldap: waiting for bind result
> > ...
> > > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: Bind was successful
> >
> > bind to the directory is Ok
> >
> > > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: performing search in
> > > ou=utenti,dc=XXXX,dc=it, with filter (uid=misterc)
> > > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: object not found or got
> > > ambiguous search result
> > > Thu Jul 20 20:54:51 2006 : Debug: rlm_ldap: search failed
> >
> > Ah...
> > Seems that the used bound to the ldap directory can't find uid=misterc
> > in ou=utenti,dc=XXXX,dc=it
> >
> >
> > > Thu Jul 20 20:54:51 2006 : Debug: auth: No authenticate method
> > (Auth-Type)
> > > configuration found for the request: Rejecting the user
> >
> > So Auth-Type isn't setted to Ldap
> >
> > > Thu Jul 20 20:54:51 2006 : Debug: auth: Failed to validate the user.
> >
> > This is logical
> >
> > >    ldap {
> > >                server="192.168.1.221"
> > >                port="389"
> > >                basedn="ou=utenti,dc=uniroma1,dc=it"
> > >                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> > >                start_tls = no
> > >           access_attr = "uid"
> > >                dictionary_mapping = ${raddbdir}/ldap.attrmap
> > >                authtype = ldap
> > >                ldap_connections_number = 5
> > >                password_header = "{SHA}"
> > >                password_attribute = userPassword
> > >                 }
> > >           }
> >
> > Well isn't it a pb of rights ? Is the anonymous user able to search the
> > openldap directory for users entries ?
> >
> > What is the result of a simple "ldapsearch" with the same ldap filter.
> >
> > > If you need any other information please ask us; sorry if we are
> > boring you
> > > but we are trying and trying without any significant result.
> > > Thanks.
> >
> > Have you got ACLs in your openldap directory configuration files ?
> >
> > Regards,
> > Thibault
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060720/dcae5aa4/attachment.html>

More information about the Freeradius-Users mailing list