[Fwd: LDAP CHAP born again]
Ryan Setiawan H
ryan.setiawan at banknisp.com
Tue Jul 1 08:19:39 CEST 2008
Hi all,
I've research & googling about LDAP and CHAP :D, but until now
still don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 :
rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30,
length=48
User-Name = "testing"
CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f
------------cut--------------.
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter
(uid=testing)
rlm_ldap: checking if remote access for testing is allowed by dialupAccess
rlm_ldap: Password header not found in password Testing1 for user testing
-----------cut---------------
* as you can see the radius module rlm_ldap can "see" the password for
user testing, here the next one
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '/' in User-Name = "testing", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "IPASS" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by "testing" with CHAP password
rlm_chap: Could not find clear text password for user testing
modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
auth: Failed to validate the user.
----------------cut-------------
*this is classic problem, but until now there wasn't any straight answer
for this one
based on the faq on
http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F,
it is possible for using chap with ldap backend, also there is clue
where parameter like
password_header = "{clear}"
password_attribute = userPassword
password_radius_attribute = "User-Password"
must be set.... but how?
i'm still trying to read the code ( like rlm_chap.c ) to see what
attribut does rlm_chap read for the password that was passed by the
module ldap. but it is so arcane and "debuging code twice hard as
writing the code at first place"
anyone has solution for this matter?
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
More information about the Freeradius-Users
mailing list