Using mschap authentication without EAP
Giuseppina Venezia
giusy.venezia at gmail.com
Fri Jul 21 10:30:16 CEST 2006
On 7/20/06, Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
>
>
> Well isn't it a pb of rights ? Is the anonymous user able to search the
> openldap directory for users entries ?
Yes, the anonymous user is able to search.
What is the result of a simple "ldapsearch" with the same ldap filter.
ldapsearch -x -b "dc=xxxx,dc=it" "(uid=misterc)"
# extended LDIF
#
# LDAPv3
# base <dc=xxxx,dc=it> with scope subtree
# filter: (uid=misterc)
# requesting: ALL
#
# Vito Cu, utenti, xxxx.it
dn: cn=Vito Cu,ou=utenti,dc=xxxx,dc=it
uid: misterc
description: bel giovine
sn: Cu
cn: newperson
cn: Vito Cu
userPassword:: e1NIQX1TQ01UU1l5cVpESHcvSXhqRUJGWHdQQnFTTXM9
objectClass: radiusprofile
objectClass: inetOrgPerson
radiusA
10:21
uthType: LDAP
# search result
search: 2
result: 0 Success
10:21
# numResponses: 2
# numEntries: 1
Have you got ACLs in your openldap directory configuration files ?
All the users have the rights.
Well, after some changes in OpenLDAP config, this is the result:
Fri Jul 21 11:15:51 2006 : Debug: Processing the authorize section of
radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group authorize for
request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_eap: No EAP-Message, not doing EAP
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "eap" returns
noop for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: calling ldap
(rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authorize
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing user authorization
for misterc
Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: '(uid=misterc)'
Fri Jul 21 11:15:51 2006 : Debug: radius_xlat: 'ou=utenti,dc=xxxx,dc=it'
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: attempting LDAP reconnection
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: (re)connect to 192.168.1.221:389,
authentication 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: bind as
cn=Manager,dc=xxxx,dc=it/PASSWORD to 192.168.1.221:389
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: waiting for bind result ...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Bind was successful
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: performing search in
ou=utenti,dc=xxxx,dc=it, with filter (uid=misterc)
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: checking if remote access for
misterc is allowed by userPassword
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Added password
{SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= in check items
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for check items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding radiusAuthType as
Auth-Type, value LDAP & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: Adding userPassword as
User-Password, value {SHA}SCMTSYyqZDHw/IxjEBFXwPBqSMs= & op=21
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: looking for reply items in
directory...
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: user misterc authorized to use
remote access
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authorize]: returned from ldap
(rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authorize]: module "ldap"
returns ok for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group authorize (returns
ok) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rad_check_password: Found Auth-Type
LDAP
Fri Jul 21 11:15:51 2006 : Debug: auth: type "LDAP"
Fri Jul 21 11:15:51 2006 : Debug: Processing the authenticate section of
radiusd.conf
Fri Jul 21 11:15:51 2006 : Debug: modcall: entering group LDAP for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling pap
(rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Auth: rlm_pap: Attribute "Password" is required
for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from
pap (rlm_pap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "pap"
returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: calling ldap
(rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: rlm_ldap: - authenticate
Fri Jul 21 11:15:51 2006 : Auth: rlm_ldap: Attribute "User-Password" is
required for authentication. Cannot use "CHAP-Password".
Fri Jul 21 11:15:51 2006 : Debug: modsingle[authenticate]: returned from
ldap (rlm_ldap) for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall[authenticate]: module "ldap"
returns invalid for request 0
Fri Jul 21 11:15:51 2006 : Debug: modcall: leaving group LDAP (returns
invalid) for request 0
Fri Jul 21 11:15:51 2006 : Debug: auth: Failed to validate the user.
Config files are the same of above.
Best regards.
Giusy Venezia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060721/77498391/attachment.html>
More information about the Freeradius-Users
mailing list