802.1x, EAP and LDAP
Phil Mayers
p.mayers at imperial.ac.uk
Tue Mar 4 12:18:49 CET 2008
Mike Richardson wrote:
> On Tue, Mar 04, 2008 at 10:35:29AM +0000, Phil Mayers wrote:
>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>> modcall[authorize]: module "ldap" returns ok for request 0
>>> rlm_pap: WARNING! No "known good" password found for the user.
>>> Authentication may fail because of this.
>>> modcall[authorize]: module "pap" returns noop for request 0
>> The ldap module didn't find a password for the user, thus the PAP module
>> couldn't authenticate the user.
>>
>> I don't know enough about eDirectory to help much more; I can say that a
>> "normal" LDAP server might contain entries of the form:
>>
>> dn: cn=user,ou=....
>> cn: user
>> objectClass: top
>> objectClass: person
>> userPassword: {CRYPT}xxxxxxxx
>>
>> ...or similar, and the ldap module is smart enough to figure it out.
>>
>> As Ivan has pointed out, I suspect this line higher up is the issue:
>>
>>> rlm_ldap: No default NMAS login sequence
>> A quick read through the source code indicates the mysterious NMAS is
>> novell universal auth / password / blah.
>
> How does the PAP module attempt to do the authentication? Does it do an
> authenticated bind as the user or does it get the password variable and
> compare it to something stored?
The latter.
Basically rlm_pap takes the User-Password in the request, and compares
it against "the correct" password for the user.
The ldap module is expected to have extracted the password from LDAP
(see below).
There is another mode where PAP requests can be authenticated by
rlm_ldap, using simple bind against the LDAP server - that's the
authenticate {
Auth-Type LDAP {
ldap
}
}
...stuff, but you should avoid doing that if at all possible. In
particular it won't support PEAP/MS-CHAP, the only really useful EAP
type supported by the windows XP/vista 802.1x supplicants.
>
> I've tried it against openldap with the same result but I've not spent much
> time on the openldap config. I have to get this working with eDiretory
> unfortunately...
I don't know specifically what the NMAS nonsense is, but a glance at the
rlm_ldap source code indicates it's a Novell-proprietary LDAP extension
which the LDAP client (in this case, FreeRadius) has to call to get at
the plaintext password for the user.
In all probability your Novell administrators need to grant some extra
permissions to the "binddn" so that it can do this - it's (obviously) a
privileged operation.
Moving to OpenLDAP won't help - it doesn't support NMAS at all (I
assume) so you'll just be trying to run operations against the LDAP
server it doesn't support, and if you need to eventually get it working
against Novell it's not time well spent anyway.
More information about the Freeradius-Users
mailing list