yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Sat Mar 29 10:02:16 CET 2008 

> 
>> ... So server translates User-Password to Cleartext-Password and the
>> check fails since the password is encrypted.
> 
> Understood, yes.

So at the moment the server is reading your password hash out of the 
LDAP directory and treating it as a plaintext password string. You can 
test this by providing the password hash as your password during PAP 
authentication.

I Noticed from that sample hash, your passwords have the correct {SSHA} 
prefix, this means you should be able to use


ldap {
	auto_header = yes

}

And the server will automatically write the hash to the correct internal 
attribute. Least thats how it works on ours, and were using an OpenLDAP 
setup similar to your.


> 
>> Configure ldap section to use SSHA-Password as password attribute 
>> instead.
> 
> That's what I believed I HAD done with the following, from the diff of
> my radiusd.conf file against the default radiusd.conf that ships with
> 2.0.3, orignally included after the signature in my first message:
> 
>>> @@ -820,7 +825,8 @@
>>>          #  Novell may require TLS encrypted sessions before returning
>>>          #  the user's password.
>>>          #
>>> -        # password_attribute = userPassword
>>> +        password_attribute = userPassword
>>> +                password_radius_attribute = "SSHA-Password"

I have no idea what password_radius_attribute is ?? Is that a legacy 
configuration item ?

If your password is indeed stored in the LDAP 'userPassword' attribute 
which is the default then:

                 #  Set password_attribute = nspmPassword to get the
                 #  user's password from a Novell eDirectory
                 #  backend. This will work ONLY IF FreeRADIUS has been
                 #  built with the --with-edir configure option.
                 #
                 password_attribute = userPassword
should suffice.


The other way you can do this is by using the LDAP module as an 
authentication module. When used in the authentication section it'll 
attempt to bind to the LDAP server using the users UID and Password. I 
wouldn't recommend it in your case though, as binds are comparatively 
slow, and it'll only work with PAP.

> 
> If the above is not the correct way to accomplish what I am trying to
> do, I would be very grateful if someone would point me in the right
> direction to find what is the correct way.
> 
> The radtest test against a user in the LDAP data succeeds.  How do I get
> from here to having successful authentication through TTLS against the
> same LDAP data, without the above warning?
> 
>>>    radtest j_doe '*SANITIZED*' localhost:1814 1 testing123
>>>            User-Name = "j_doe"
>>>            User-Password = "*SANITIZED*"
>>>            NAS-IP-Address = 192.168.7.47
>>>            NAS-Port = 1
>>>
>>> Older versions of radtest would report receiving "Access-Accept", while
>>> this one silently exists.  However, radiusd in this case says:
>>>
>>> Ready to process requests.
>>>         User-Name = "j_doe"
>>>         User-Password = "*SANITIZED*"
>>>         NAS-IP-Address = 192.168.7.47
>>>         NAS-Port = 1
>>> +- entering group authorize
>>> ++[preprocess] returns ok
>>> ++[chap] returns noop
>>> ++[mschap] returns noop
>>>     rlm_realm: No '@' in User-Name = "j_doe", looking up realm NULL
>>>     rlm_realm: No such realm "NULL"
>>> ++[suffix] returns noop
>>>   rlm_eap: No EAP-Message, not doing EAP
>>> ++[eap] returns noop
>>> ++[unix] returns notfound
>>> ++[files] returns noop
>>> rlm_ldap: - authorize
>>> rlm_ldap: performing user authorization for j_doe
>>>         expand: %{Stripped-User-Name} ->
>>>         expand: %{User-Name} -> j_doe
>>>         expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(search 
>>> filter
>>> trimmed for brevity)) -> (&(cn=j_doe)(search filter trimmed for 
>>> brevity))
>>>         expand: ou=people,dc=concordia,dc=ca -> 
>>> ou=people,dc=concordia,dc=ca
>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>> rlm_ldap: ldap_get_conn: Got Id: 0
>>> rlm_ldap: attempting LDAP reconnection
>>> rlm_ldap: (re)connect to localhost boris:389, authentication 0
>>> rlm_ldap: bind as 
>>> cn=iits_neg,ou=AdminRoles,dc=concordia,dc=ca/*SANITIZED* to
>>> localhost boris:389
>>> rlm_ldap: waiting for bind result ...
>>> rlm_ldap: Bind was successful
>>> rlm_ldap: performing search in ou=people,dc=concordia,dc=ca, with filter
>>> (&(cn=j_doe)(search filter trimmed for brevity))
>>> rlm_ldap: Added User-Password = 
>>> {SSHA}*SANITIZED*QDmffXBQkU42Wt9x*SANITIZED*==
>>> in check items
>>> rlm_ldap: looking for check items in directory...
>>> rlm_ldap: looking for reply items in directory...
>>> rlm_ldap: user j_doe authorized to use remote access
>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>> ++[ldap] returns ok
>>> ++[expiration] returns noop
>>> ++[logintime] returns noop
>>> ++[pap] returns updated
>>>   rad_check_password:  Found Auth-Type auth: type "PAP"
>>> +- entering group PAP
>>> rlm_pap: login attempt with password "*SANITIZED*"
>>> rlm_pap: Using SSHA encryption.
>>> rlm_pap: Normalizing SSHA1-Password from base64 encoding
>>> rlm_pap: User authenticated successfully
>>> ++[pap] returns ok
>>> Login OK: [j_doe/*SANITIZED*] (from client localhost port 1)
>>> Finished request 0.
>>> Going to the next request
> 
> Thanks for following up, and for any additional help ...
>

More information about the Freeradius-Users mailing list