PAP authentication and multiple LDAP userpassword attributes

Christophe Saillard saillard at unistra.fr
Fri Feb 6 16:45:52 CET 2009


Hi,

I'm working on upgrading from FR 1.1.7 to FR 2.1.3.

I use FR for EAP-TTLS/PAP authentication with LDAP.

FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword 
attributes which are stored with crypt and/or MD5 hash, the passwords 
are not the same (even it's better if the are) :

#######################################################################
[...]
rlm_ldap: performing user authorization for mylogin
radius_xlat:  '(&(uid=mylogin)(udsradiusProfileWifi=*))'
radius_xlat:  'ou=people,o=annuaire'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter 
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, 
with filter (objectclass=radiusprofile)
rlm_ldap: Added password {MD5}xxxxx in check items
rlm_ldap: Added password {crypt}xxxxx in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "LDAP_OSIRIS" returns ok for request 29
modcall: leaving group LDAP_OSIRIS (returns ok) for request 29
   rad_check_password:  Found Auth-Type LDAP_OSIRIS
auth: type "LDAP_OSIRIS"
   Processing the authenticate section of radiusd.conf
modcall: entering group LDAP_OSIRIS for request 29
rlm_ldap: - authenticate
rlm_ldap: login attempt by "saillard" with password "mycleartextpassword"
rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ 
to ldaps://ldapuds.u-strasbg.fr
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mylogin authenticated succesfully
[...]
#######################################################################

Now with FR 2.1.3, it looks like only the first password attribute is used :

#######################################################################
[...]
[ldap]  expand: 
(&(uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) -> 
(&(uid=mylogin)(udsradiusProfileWifi=*))
[ldap]  expand: ou=people,o=annuaire -> ou=people,o=annuaire 

rlm_ldap: ldap_get_conn: Checking Id: 0 

rlm_ldap: ldap_get_conn: Got Id: 0 

rlm_ldap: performing search in ou=people,o=annuaire, with filter 
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire, 
with filter (objectclass=radiusprofile)
[ldap] Added User-Password = {crypt}xxxxx in check items 

[ldap] Added User-Password = {MD5}xxxxx in check items 

[ldap] looking for check items in directory... 

[ldap] looking for reply items in directory...
[ldap] user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group authenticate {...}
[pap] login attempt with password "mycleartextpassword"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
[...]
#######################################################################

Is there a way to tell FR to try with others attributes ?

My configuration is quite simple, here's my 
sites-enabled/proxy-inner-tunnel :

server proxy-inner-tunnel {

    authorize {
            eap
            ldap
            pap
    }

    authenticate {
            eap
            pap
    }

    post-proxy {
            eap
    }
}

And the pap modules :

pap {
         auto_header = yes
}

Any clue ?

Thanks

-- 
---------------------------
Christophe Saillard
Université de Strasbourg
Direction Informatique
---------------------------
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------



More information about the Freeradius-Users mailing list