yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...

Sat Mar 29 23:28:11 CET 2008

On Sat, 29 Mar 2008, Alan DeKok wrote:

>>> ldap {
>>>     auto_header = yes
> ...
>> I will definitely give that a try on Monday morning.  ...
>
>  I would very much prefer that the PAP module be used for the password
>  mangling, rather than rlm_ldap.  The code in the PAP module does
>  more, and is more used than the similar code in rlm_ldap.  I think
>  that functionality will be removed from rlm_ldap.

Ok, fair enough.  What you're saying is if I've done everything else
correctly (and using a freeradius-server version that has the fixed
rlm_pap), I shouldn't need ldap's auto_header functionality.

[password_radius_attribute]
> I've deleted that text from the documentation.  The configuration item
> hasn't been in rlm_ldap for a long time.

I should have checked the source before attempting to use the parameter.
I would have been able to see for myself that the parameter simply
doesn't exist.

> You need to tell FreeRADIUS *how* you have encrypted the passwords.
> If there's a {ssha} header on the password, then the PAP module should
> figure it out.

The header is there, as "{SSHA}".  I imagine (I'm not trying to avoid
*checking* for myself; I can do so on Monday when I'm back at work ...)
that it isn't case-sensitive.

>  30 second delays are almost always DNS.

Understood.

>> Hrmmm...  I have "hostname_lookups = no" ...
>
> Yes.  That configuration item controls IP address -> hostname lookups
> for printing.  It has *no* effect on hostname -> IP mapping, such as
> looking up ldap servers by hostname.

Right, and I wouldn't have kidded myself that it had anything to do with
that.

Of course, if that's the problem (and if the server is performing that
lookup for every LDAP query, and in my current installation, every bind
to LDAP for authentication, it occurs to me that the DNS resolvers
just might be throttling their responses due to the sheer number of
queries they would be seeing from the same small number of systems), I
could work-around it just as easily by using IP addresses for the LDAP
server configurations, or simply list the LDAP servers in the system's
/etc/hosts file (assuming appropriate configuration of nsswitch).
That's getting a bit off-topic for freeradius-users, though.  Still,
thank you again for bringing this up;  I had completely overlooked
it as a possibility.  And yes, I've quite well received your point:
"run in debug mode and SEE why my current radiusd is taking so long to
respond to the authentication requests".

This might be an easy-enough "fix" that would at least buy me time to
return to getting 2.0.3 properly configured and running.

>>> ... The issue is that the rlm_ldap module is reading the
>>> "userPassword" ldap field, and creating a User-Password attribute.
>>> It could really be fixed.
>>
>> By patching rlm_ldap, you mean, or by adjusting my configuration?
>
>  Patching rlm_ldap, probably.  The "userPassword" should be mapped to
> User-Password via ldap.attrmap, just like everything else.

If it's that simple, I definitely can go ahead and do that.

>> Ok, but what I'm stuck on is *why* the differences are there.  I
>> don't doubt I've done something wrong, but I'm unable to figure out
>> what it is that I've done wrong.
>
> It may be the bug in rlm_pap.  Grab a current CVS snapshot, and see if
> that works any better.

I will do that Monday and report back.  Thank you.

>> Ok, and then I'll need to put the blob in a SSHA-Password attribute,
>> correct?
>
> Yes.  And it will likely work.  But... the LDAP module is putting it
> into the User-Password attribute.  So you might want to test that, too.

Alright.

>> I only learned about "redundant" this week.  ...
>
> $ man unlang
>
>  You probably want "redundant-load-balance".  It's a bit of effort to
> type, but it results in a pretty robust system.

I have read "man unlang" and will read it again.  I agree that
redundant-load-balance is more likely to be what I want, and came to the
same conclusion when I did read "man unlang" (only yesterday).  A
"pretty robust system" is definitely what I'm after, yes.  :-)

>>   - confure "auto_header = yes" for the ldap module.
>
> I really don't think that's necessary.  If you're not proxying, then
> the PAP module *should* take care of fixing the password up.

Ok, will try without it first, and report back.

> Also, test with a User-Password := "{ssha}...".  Check that the PAP
> module "fixes" it, and turns it into a SSHA-Password attribute.

Right.  Thanks very much.  I think I'm well on my way to getting this
going, and even to fixing the original problem I was trying to solve in
the first place (performance of the RADIUS server during peak usage
hours).

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems and Network analyst                       Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------