Freeradius and OpenLDAP authentication with hashed passwords

mel mel at hackinthebox.org
Tue Apr 1 04:17:51 CEST 2008 

Alan DeKok wrote:

> password to the server.  The server looks up the user in a database, and
> (perhaps) finds a SHA hashed password.  The server then SHA hashes the
> password supplied by the client, and compares it to the SHA password
> from the database.

In that case, something is *really* wrong with my setup and I have no 
idea why. I can only authenticate if the password in OpenLDAP is 
cleartext, but never if it's hashed. debug output, radiud.conf (modules 
ldap section), sites-enable/default follows.

### debug ###
rad_recv: Access-Request packet from host 127.0.0.1 port 62806, id=99, 
length=57
	User-Name = "user1"
	User-Password = "abc123"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user1
	expand: (uid=%u) -> (uid=user1)
	expand: dc=---,dc=edu,dc=my -> dc=---,dc=edu,dc=my
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=---,dc=edu,dc=my/### to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=---,dc=edu,dc=my, with filter (uid=user1)
rlm_ldap: checking if remote access for user1 is allowed by radiusFilterId
rlm_ldap: Added SHA1-Password = iEPX+SQWIR3p67lj/0zigSWTKHg= in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password 
== "{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg="
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = "1 "
rlm_ldap: user user1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[chap] returns noop
++[mschap] returns noop
     rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
     rlm_realm: No such realm "NULL"
++[suffix] returns noop
   rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password. 
     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" 
     !!!
!!! clear text password is in Cleartext-Password, and not in 
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type Local
auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user.
Login incorrect: [user1/abc123] (from client localhost port 0)
   Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> user1
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 99 to 127.0.0.1 port 62806
Finished request 0.

### radiusd.conf ###

modules {
         pap {
                 auto_header = yes
         }
         chap {
                 authtype = CHAP
         }
         pam {
                 pam_auth = radiusd
         }
         unix {
         }
$INCLUDE eap.conf
         mschap {
                 authtype = MS-CHAP
                 use_mppe = yes
                 require_encryption = yes
                 require_strong = yes
         }
         ldap {
                 server = "127.0.0.1"
                 identity = "cn=Manager,dc=iiu,dc=edu,dc=my"
                 password = alamak
basedn = "dc=iiu,dc=edu,dc=my"
                 base_filter = "(objectclass=radiusprofile)"
                 access_attr = "radiusFilterId"
                 authtype = ldap
                 ldap_connections_number = 5
                 timeout = 20
                 timelimit = 15
                 net_timeout = 10
                 tls {
                 }
                 dictionary_mapping = ${confdir}/ldap.attrmap
                 edir_account_policy_check = yes
                 set_auth_type = yes
                 auto_header = yes
                 password_header = "{SHA}"
                 password_attribute = userPassword
         }

### sites-enabled/default ###

authorize {
	preprocess
	ldap
	chap
	mschap
	suffix
	eap
	#files
}

authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	eap
}

preacct {
	preprocess
	acct_unique
	suffix
}

accounting {
	detail
	unix
	radutmp
	attr_filter.accounting_response
}

session {
	radutmp
}

post-auth {
	Post-Auth-Type REJECT {
		attr_filter.access_reject
	}
}

pre-proxy {
}

post-proxy {
	eap
}



>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
>

More information about the Freeradius-Users mailing list