Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]
David W Bell
david at chaoscrypt.com
Wed Feb 13 11:06:16 CET 2008
Ranner, Frank MR wrote:
> UNCLASSIFIED
>
>
>> Config as requested - I did uncomment and configure the identity
>> section
>> - is this not required?
>>
>> ldap {
>> #
>> # Note that this needs to match the name in the LDAP
>> # server certificate, if you're using ldaps.
>> server = "localhost"
>> identity = "cn=Administrator,dc=dxi,dc=net"
>> password = trPic4n03
>> basedn = "dc=dxi,dc=net"
>> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>> #base_filter = "(objectclass=radiusprofile)"
>>
>> # How many connections to keep open to the LDAP
>> server.
>> # This saves time over opening a new LDAP socket for
>> # every authentication request.
>> ldap_connections_number = 5
>>
>> # seconds to wait for LDAP query to finish.
>> default: 20
>> timeout = 4
>>
>> # seconds LDAP server has to process the query
>> (server-side
>> # time limit). default: 20
>> #
>> # LDAP_OPT_TIMELIMIT is set to this value.
>> timelimit = 3
>>
>> #
>> # seconds to wait for response of the server.
>> (network
>> # failures) default: 10
>> #
>> # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>> net_timeout = 1
>> tls {
>> # Set this to 'yes' to use TLS encrypted
>> connections
>> # to the LDAP database by using the StartTLS
>> extended
>> # operation.
>> #
>> # The StartTLS operation is supposed to be
>> # used with normal ldap connections instead of
>> # using ldaps (port 689) connections
>> start_tls = no
>>
>> # cacertfile = /path/to/cacert.pem
>> # cacertdir = /path/to/ca/dir/
>> # certfile = /path/to/radius.crt
>> # keyfile = /path/to/radius.key
>> # randfile = /path/to/rnd
>>
>> # Certificate Verification requirements. Can
>>
>
>
>> be:
>> # "never" (don't even bother trying)
>> # "allow" (try, but don't fail if
>> the cerificate
>> # can't be verified)
>> # "demand" (fail if the
>> certificate doesn't
>> verify.)
>> #
>> # The default is "allow"
>> # require_cert = "demand"
>> }
>>
>> # default_profile =
>> "cn=radprofile,ou=dialup,o=My Org,c=UA"
>> # profile_attribute = "radiusProfileDn"
>> # access_attr = "dialupAccess"
>>
>> # Mapping of RADIUS dictionary attributes to LDAP
>> # directory attributes.
>> dictionary_mapping = ${confdir}/ldap.attrmap
>>
>> # Set password_attribute = nspmPassword to get the
>> # user's password from a Novell eDirectory
>> # backend. This will work ONLY IF FreeRADIUS has been
>> # built with the --with-edir configure option.
>> #
>> # password_attribute = userPassword
>>
Thanks for the tip - tried it and it didnt work
Worth a try tho - so thanks
David
rlm_ldap: - authorize
rlm_ldap: performing user authorization for belld
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
expand: dc=dxi,dc=net -> dc=dxi,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user belld authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with
Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known
good" !!!
!!! clear text password is in Cleartext-Password, and not in
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "p455w0rd"
rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo"
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[belld/p455w0rd] (from client 212.95.252.25 port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> belld
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 17 to 212.95.252.25 port 32116
Waking up in 4.9 seconds.
Cleaning up request 0 ID 17 with timestamp +3
Ready to process requests.
More information about the Freeradius-Users
mailing list