802.1x, EAP and LDAP

Tue Mar 4 15:10:36 CET 2008

The binddn configured in freeradius needs to have admin privileges to
extract a password. It then binds with the userdn and extracted
password. That gets an positive authentication. You also need radius
specific ldap attributes the pass the authorization phase.

We used the freeradius/eDirectory integration for over a year
successfully.

Download instructions from the document:

How to integrate freeradius and eDirectory

http://www.novell.com/coolsolutions/appnote/16745.html

-----Original Message-----
From: freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.o
rg] On Behalf Of Phil Mayers
Sent: Tuesday, March 04, 2008 5:19 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: 802.1x, EAP and LDAP

Mike Richardson wrote:
> On Tue, Mar 04, 2008 at 10:35:29AM +0000, Phil Mayers wrote:
>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>>  modcall[authorize]: module "ldap" returns ok for request 0
>>> rlm_pap: WARNING! No "known good" password found for the user.  
>>> Authentication may fail because of this.
>>>  modcall[authorize]: module "pap" returns noop for request 0
>> The ldap module didn't find a password for the user, thus the PAP
module 
>> couldn't authenticate the user.
>>
>> I don't know enough about eDirectory to help much more; I can say
that a 
>> "normal" LDAP server might contain entries of the form:
>>
>> dn: cn=user,ou=....
>> cn: user
>> objectClass: top
>> objectClass: person
>> userPassword: {CRYPT}xxxxxxxx
>>
>> ...or similar, and the ldap module is smart enough to figure it out.
>>
>> As Ivan has pointed out, I suspect this line higher up is the issue:
>>
>>> rlm_ldap: No default NMAS login sequence
>> A quick read through the source code indicates the mysterious NMAS is

>> novell universal auth / password / blah.
> 
> How does the PAP module attempt to do the authentication? Does it do
an
> authenticated bind as the user or does it get the password variable
and
> compare it to something stored? 

The latter.

Basically rlm_pap takes the User-Password in the request, and compares 
it against "the correct" password for the user.

The ldap module is expected to have extracted the password from LDAP 
(see below).

There is another mode where PAP requests can be authenticated by 
rlm_ldap, using simple bind against the LDAP server - that's the

authenticate {
  Auth-Type LDAP {
   ldap
  }
}

...stuff, but you should avoid doing that if at all possible. In 
particular it won't support PEAP/MS-CHAP, the only really useful EAP 
type supported by the windows XP/vista 802.1x supplicants.

> 
> I've tried it against openldap with the same result but I've not spent
much
> time on the openldap config. I have to get this working with eDiretory
> unfortunately...

I don't know specifically what the NMAS nonsense is, but a glance at the

rlm_ldap source code indicates it's a Novell-proprietary LDAP extension 
which the LDAP client (in this case, FreeRadius) has to call to get at 
the plaintext password for the user.

In all probability your Novell administrators need to grant some extra 
permissions to the "binddn" so that it can do this - it's (obviously) a 
privileged operation.

Moving to OpenLDAP won't help - it doesn't support NMAS at all (I 
assume) so you'll just be trying to run operations against the LDAP 
server it doesn't support, and if you need to eventually get it working 
against Novell it's not time well spent anyway.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html