ldap and unix return different results

Craig White craigwhite at azapple.com
Sun Nov 16 17:45:35 CET 2008 

I am trying to use mschap and the following is logged suggesting that
ldap authorize succeeds but unix authorize fails but the passwords are
the same (aside from the fact that samba hashes the password). I can ssh
into the radius server with the user name and password...

# getent passwd|grep craigwhite
craigwhite:x:1013:1000:Craig White:/home/users/craigwhite:/bin/sh

# radtest craigwhite MY_PASSWORD MY_RADIUS_SERVER 0 whatever

and on the radius server running 'radiusd -X -f'

Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812 Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.100.7:60829, id=45,
length=62
        User-Name = "craigwhite"
        User-Password = "MY_PASSWORD"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "craigwhite", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for craigwhite
radius_xlat:  '(uid=craigwhite)'
radius_xlat:  'ou=People,ou=Accounts,o=MY_ORG,c=US'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: bind as cn=admin,o=Mullen,c=US/riod to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,ou=Accounts,o=MY_ORG,c=US, with
filter (uid=craigwhite)
rlm_ldap: checking if remote access for craigwhite is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value
[UX         ] & op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value HASHED_PASSWORD &
op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value HASHED_PASSWORD &
op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user craigwhite authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [craigwhite]: invalid password
  modcall[authenticate]: module "unix" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.

Obviously this is something to do with the 'users' file configuration
which is still at it's default and apparently this is the problem
here...

DEFAULT Auth-Type = System
        Fall-Through = 1

What nugget am I missing?

Craig

More information about the Freeradius-Users mailing list