compare check items in LDAP - pairs do not match

mel mel at hackinthebox.org
Mon Apr 7 06:36:29 CEST 2008 

Hi,

When I set compare_check_items in modules { ldap {} }, I'm getting the 
errors below:

rad_recv: Access-Request packet from host 127.0.0.1 port 58575, id=39, 
length=96
	User-Name = "user10"
	User-Password = "abc123"
	Calling-Station-Id = "00:18:DE:28:7C:7C"
	Message-Authenticator = 0xcfe57cf5ca3366338fd35142085e45b8
	EAP-Message = 0x02d2000b01757365723130
+- entering group authorize
++[preprocess] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for user10
	expand: (uid=%u) -> (uid=user10)
	expand: dc=iiu,dc=edu,dc=my -> dc=iiu,dc=edu,dc=my
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iiu,dc=edu,dc=my, with filter (uid=user10)
rlm_ldap: checking if remote access for user10 is allowed by radiusFilterId
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute macAddress as RADIUS attribute 
Calling-Station-Id == "00:18:DE:28:7C:7C"
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password 
== "{sha}Y2fEjdGT1W6nsLqtJbGUVeUp9e4="
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusFilterId as RADIUS attribute Filter-Id = "1"
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns reject
Invalid user (rlm_ldap: Pairs do not match): [user10/abc123] (from 
client localhost port 0 cli 00:18:DE:28:7C:7C)
   Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> user10
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 39 to 127.0.0.1 port 58575
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 39 with timestamp +42
Ready to process requests.

In ldap.attr, Calling-Station-Id is mapped to macAddress. In modules 
checkval, item-name is Calling-Station-Id, while check-name is 
macAddress. The macAddress is stored using ":" as delimiter in OpenLDAP

What I was tasked to do is to authorize the user based on the password 
and macAddress pair.

Prior to this, I've been able to do the following successfully

- basic LDAP authentication with username/password stored in LDAP
- EAP-TTLS with username/password stored in LDAP
- EAP-GTC with username/password stored in LDAP
- PAP with username/password stored in LDAP

These have been tested locally (using radtest and radeapclient) and also 
via a NAS.

Regards,

--mel

More information about the Freeradius-Users mailing list