Freeradius with OpenLDAP (Suse Enterprise 10) [SEC=UNCLASSIFIED]

David W Bell david at chaoscrypt.com
Wed Feb 13 18:07:06 CET 2008 

David W Bell wrote:
> David W Bell wrote:
>> Ranner, Frank MR wrote:
>>> UNCLASSIFIED
>>>
>>>  
>>>> Config as requested - I did uncomment and configure the identity 
>>>> section
>>>> - is this not required?
>>>>
>>>>         ldap {
>>>>                 #
>>>>                 #  Note that this needs to match the name in the LDAP
>>>>                 #  server certificate, if you're using ldaps.
>>>>                 server = "localhost"
>>>>                 identity = "cn=Administrator,dc=dxi,dc=net"
>>>>                 password = trPic4n03
>>>>                 basedn = "dc=dxi,dc=net"
>>>>                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>>>>                 #base_filter = "(objectclass=radiusprofile)"
>>>>
>>>>                 #  How many connections to keep open to the LDAP 
>>>> server.
>>>>                 #  This saves time over opening a new LDAP socket for
>>>>                 #  every authentication request.
>>>>                 ldap_connections_number = 5
>>>>
>>>>                 # seconds to wait for LDAP query to finish. 
>>>> default: 20
>>>>                 timeout = 4
>>>>
>>>>                 #  seconds LDAP server has to process the query 
>>>> (server-side
>>>>                 #  time limit). default: 20
>>>>                 #
>>>>                 #  LDAP_OPT_TIMELIMIT is set to this value.
>>>>                 timelimit = 3
>>>>
>>>>                 #
>>>>                 #  seconds to wait for response of the server. 
>>>> (network
>>>>                 #   failures) default: 10
>>>>                 #
>>>>                 #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>>>>                 net_timeout = 1
>>>>                 tls {
>>>>                         # Set this to 'yes' to use TLS encrypted 
>>>> connections
>>>>                         # to the LDAP database by using the 
>>>> StartTLS extended
>>>>                         # operation.
>>>>                         #
>>>>                         # The StartTLS operation is supposed to be
>>>>                         # used with normal ldap connections instead of
>>>>                         # using ldaps (port 689) connections
>>>>                         start_tls = no
>>>>
>>>>                         # cacertfile    = /path/to/cacert.pem
>>>>                         # cacertdir             = /path/to/ca/dir/
>>>>                         # certfile              = /path/to/radius.crt
>>>>                         # keyfile               = /path/to/radius.key
>>>>                         # randfile              = /path/to/rnd
>>>>
>>>>                         #  Certificate Verification requirements.  Can
>>>>     
>>>
>>>  
>>>> be:
>>>>                         #    "never" (don't even bother trying)
>>>>                         #    "allow" (try, but don't fail if the 
>>>> cerificate
>>>>                         #               can't be verified)
>>>>                         #    "demand" (fail if the certificate doesn't
>>>> verify.)
>>>>                         #
>>>>                         #       The default is "allow"
>>>>                         # require_cert  = "demand"
>>>>                 }
>>>>
>>>>                 # default_profile =
>>>> "cn=radprofile,ou=dialup,o=My Org,c=UA"
>>>>                 # profile_attribute = "radiusProfileDn"
>>>>                 # access_attr = "dialupAccess"
>>>>
>>>>                 # Mapping of RADIUS dictionary attributes to LDAP
>>>>                 # directory attributes.
>>>>                 dictionary_mapping = ${confdir}/ldap.attrmap
>>>>
>>>>                 #  Set password_attribute = nspmPassword to get the
>>>>                 #  user's password from a Novell eDirectory
>>>>                 #  backend. This will work ONLY IF FreeRADIUS has been
>>>>                 #  built with the --with-edir configure option.
>>>>                 #
>>>>                 # password_attribute = userPassword
>>>>     
>> Thanks for the tip - tried it and it didnt work
>>
>> Worth a try tho - so thanks
>>
>> David
>>
>> rlm_ldap: - authorize
>> rlm_ldap: performing user authorization for belld
>> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
>> details
>>        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=belld)
>>        expand: dc=dxi,dc=net -> dc=dxi,dc=net
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to localhost:389, authentication 0
>> rlm_ldap: bind as cn=Administrator,dc=dxi,dc=net/trPic4n03 to 
>> localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in dc=dxi,dc=net, with filter (uid=belld)
>> rlm_ldap: Added User-Password = {crypt}e/2iGeomYrGLo in check items
>> rlm_ldap: looking for check items in directory...
>> rlm_ldap: looking for reply items in directory...
>> rlm_ldap: user belld authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> ++[pap] returns updated
>>  rad_check_password:  Found Auth-Type
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
>>
>> !!!    Replacing User-Password in config items with 
>> Cleartext-Password.     !!!
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
>>
>> !!! Please update your configuration so that the "known 
>> good"               !!!
>> !!! clear text password is in Cleartext-Password, and not in 
>> User-Password. !!!
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
>>
>> auth: type "PAP"
>> +- entering group PAP
>> rlm_pap: login attempt with password "p455w0rd"
>> rlm_pap: Using clear text password "{crypt}e/2iGeomYrGLo"
>> rlm_pap: Passwords don't match
>> ++[pap] returns reject
>> auth: Failed to validate the user.
>> Login incorrect (rlm_pap: CLEAR TEXT password check failed): 
>> [belld/p455w0rd] (from client 212.95.252.25 port 0)
>>  Found Post-Auth-Type Reject
>> +- entering group REJECT
>>        expand: %{User-Name} -> belld
>> attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.9 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 17 to 212.95.252.25 port 32116
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 17 with timestamp +3
>> Ready to process requests.
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
> Looking at this it seems that the LDAP record is holding the password 
> with a certain encryption and that Radius needs to be told to encrypt 
> the password it has passed to it in that format.
>
> Anyone know what the LDAP encryption would be, and how to influence 
> RADIUS's treatment of the password.
>
> David
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
Now fixed.

All I had to do in the end was add the line for "userPassword" and then 
change this from no to yes

        pap {
                auto_header = yes
        }

in my radiusd.conf file which allows radius to work out how to encrypt 
the password - in this case I *THINK* against a /etc/shadow format hash

david at belld-ubuntu:~$ radtest belld p455w0rd 212.95.255.242 10 testing
Sending Access-Request of id 129 to 212.95.255.242 port 1812
        User-Name = "belld"
        User-Password = "p455w0rd"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 10
rad_recv: Access-Accept packet from host 212.95.255.242:1812, id=129, 
length=20

Thanks for everyones help in this

More information about the Freeradius-Users mailing list