[Fwd: LDAP CHAP born again]
Ryan Setiawan H
ryan.setiawan at banknisp.com
Wed Jul 2 14:48:59 CEST 2008
Alan DeKok wrote:
>>> Try installing 2.0.5 in a separate directory and configuring it. Odds
>>> are it will work.
>>
>> in time I will try install it, but if i can't make this ( LDAP CHAP )
>> clear... definitely I will encounter the same problem again :)
>
> 2.0.5 has many, many fixes that aren't in 1.1.7. Some things that are
>difficult to impossible in 1.1.7 are easy in 2.0.5.
>
> Alan DeKok.
right now I have already installed 2.0.3 because the dependency just like 1.1.7 :D
waw lot of change I see ... but here we go the debug
User-Name = "testing"
CHAP-Password = 0xee8f74f97f724f06e54a9862f98ccef299
+- entering group authorize
++[preprocess] returns ok
rlm_chap: Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testing", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testing
expand: (uid=%u) -> (uid=testing)
expand: ou=dialup,dc=zzz,dc=com -> ou=dialup,dc=zzz,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0
rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.17:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing)
rlm_ldap: Password header not found in password Testing10 for user testing
rlm_ldap: Added User-Password = Testing10 in check items
------cut------
added user-password = Testing10 in check item .... this is the debug output difference compare to 1.1.7
------cut------
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testing authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "CHAP"
+- entering group CHAP
rlm_chap: login attempt by "testing" with CHAP password
rlm_chap: Using clear text password "Testing10" for user testing authentication.
rlm_chap: chap user testing authenticated succesfully
++[chap] returns ok
Login OK: [testing/<CHAP-Password>] (from client local port 0)
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
It's just work :D thanks Alan
however there is this strange string "Please update your configuration so that the "known good" clear text password is in Cleartext-Password, and not in User-Password."
after I digging the freeradius.org, I see people also have this minor problem, and in a mail you say to change the attribute userpassword to cleartext-password.
but in openldap schema v3 there isn't any attribute called cleartext-password...
is there any explanation for this ... everyone if you don't mind :) . still digging in openldap forum :)
Thanks
Ryan Setiawan H
--
DISCLAIMER:
The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk.
More information about the Freeradius-Users
mailing list