ldap search for user root

Artur Hayne arturhayne at yahoo.com.br
Thu Oct 4 17:49:49 CEST 2007 

Hi,
 
 We have a freeradius server sending  auth requests to a ldap server. We sniffed traffic between them and found search request messages from ldap protocol asking for an user called root, but the client request authentication for another user, an existing one. This request for user root isnt logical since root is not a valid user in our ldap db.
 
 Ethereal output (request packet from radius server to ldap server):
 Filter:(&(objectclass=User)(sAMAccountName=root))
 
 FreeRadius is using PAM to auth against ldap with rlm_pam module. PAM is completely configured and we're able to use its features with other tools, such as login.
 
 Freeradius output:
 rad_recv: Access-Request packet from host 10.2.1.76:32784, id=106, length=215
         User-Name = "aelias at intranet.ufba.br"
         Digest-Attributes = 0x0a0861656c696173
         Digest-Attributes = 0x0112696e7472616e65742e756662612e6272
         Digest-Attributes = 0x022a34373032353266383139316339313161353365313735363334656362333434336638363931303665
         Digest-Attributes = 0x04167369703a696e7472616e65742e756662612e6272
         Digest-Attributes = 0x030a5245474953544552
         Digest-Response = "598d24b186f652a28feced8e51f92880"
         Service-Type = IAPP-Register
         X-Ascend-PW-Lifetime = 0x61656c696173
         NAS-IP-Address = 10.2.1.76
         NAS-Port = 5060
   Processing the authorize section of radiusd.conf
 modcall: entering group authorize for request 3
   modcall[authorize]: module "preprocess" returns ok for request 3
   modcall[authorize]: module "chap" returns noop for request 3
   modcall[authorize]: module "mschap" returns noop for request 3
     rlm_realm: Looking up realm "intranet.ufba.br" for User-Name = "aelias at intranet.ufba.br"
     rlm_realm: No such realm "intranet.ufba.br"
   modcall[authorize]: module "suffix" returns noop for request 3
   rlm_eap: No EAP-Message, not doing EAP
   modcall[authorize]: module "eap" returns noop for request 3
     users: Matched entry DEFAULT at line 168
   modcall[authorize]: module "files" returns ok for request 3
 modcall: group authorize returns ok for request 3
   rad_check_password:  Found Auth-Type Pam
 auth: type "PAM"
   Processing the authenticate section of radiusd.conf
 modcall: entering group authenticate for request 3
 rlm_pam: Attribute "User-Password" is required for authentication.
   modcall[authenticate]: module "pam" returns invalid for request 3
 modcall: group authenticate returns invalid for request 3
 auth: Failed to validate the user.
 Login incorrect: [aelias at intranet.ufba.br/<no User-Password attribute>] (from client private-network-2 port 5060)
 Delaying request 3 for 1 seconds
 Finished request 3
 Going to the next request
 --- Walking the entire request list ---
 Sending Access-Reject of id 105 to 10.2.1.76:32783
 
 
 Sorry my poor English. :-)
 
 Thanks.
 
       Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071004/dfcb7445/attachment.html>

More information about the Freeradius-Users mailing list