DEFAULT entry in users file and LDAP, again
pauly at hrz.uni-marburg.de
Mon Dec 17 14:00:52 CET 2007
On Saturday 15 December 2007 08:38, Alan DeKok wrote:
> No. The problem is the WARNING message just before that. You haven't
> told the server what the "known good" password is, so the server has NO
> WAY to authenticate the user.
I tested with radtest, as before. All of my real-world access-requests
currently come to the NASes some sort of PAP: Either traditional PAP in
PPP or PAP in EAP-TTLS. In either case, the RADIUS request contains a
password in clear text. The corresponding database is in the LDAP
server with the passwords stored as salted UNIX crypt (quite traditional).
With my 1.0.5 freeradius, the sequence is pretty much straightforward:
1. Search for the user in LDAP using the given basedn and filter
to obtain authorization information.
2. If all goes well (i.e. search result is unique and user is authorized),
try another LDAP login as the newly found user-DN -- using the password
from the Access-Request packet, of course.
3. If this succeeds, the password has implicitly been confirmed by the
LDAP-Server --> send Access-Accept, otherwise --> send Access-Deny
So step 1 seems o.k., right? What then is missing to trigger step 2?
Dr. Martin Pauly Fax: 49-6421-28-26994
HRZ Univ. Marburg Phone: 49-6421-28-23527
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
More information about the Freeradius-Users