PAP authentication and multiple LDAP userpassword attributes
Christophe Saillard
saillard at unistra.fr
Fri Feb 6 16:45:52 CET 2009
Hi,
I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
I use FR for EAP-TTLS/PAP authentication with LDAP.
FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword
attributes which are stored with crypt and/or MD5 hash, the passwords
are not the same (even it's better if the are) :
#######################################################################
[...]
rlm_ldap: performing user authorization for mylogin
radius_xlat: '(&(uid=mylogin)(udsradiusProfileWifi=*))'
radius_xlat: 'ou=people,o=annuaire'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
rlm_ldap: Added password {MD5}xxxxx in check items
rlm_ldap: Added password {crypt}xxxxx in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "LDAP_OSIRIS" returns ok for request 29
modcall: leaving group LDAP_OSIRIS (returns ok) for request 29
rad_check_password: Found Auth-Type LDAP_OSIRIS
auth: type "LDAP_OSIRIS"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP_OSIRIS for request 29
rlm_ldap: - authenticate
rlm_ldap: login attempt by "saillard" with password "mycleartextpassword"
rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+
to ldaps://ldapuds.u-strasbg.fr
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user mylogin authenticated succesfully
[...]
#######################################################################
Now with FR 2.1.3, it looks like only the first password attribute is used :
#######################################################################
[...]
[ldap] expand:
(&(uid=%{Stripped-User-Name:-%{User-Name}})(udsradiusProfileWifi=*)) ->
(&(uid=mylogin)(udsradiusProfileWifi=*))
[ldap] expand: ou=people,o=annuaire -> ou=people,o=annuaire
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,o=annuaire, with filter
(&(uid=mylogin)(udsradiusProfileWifi=*))
rlm_ldap: performing search in uid=wifi-crc,ou=profilsWifi,o=annuaire,
with filter (objectclass=radiusprofile)
[ldap] Added User-Password = {crypt}xxxxx in check items
[ldap] Added User-Password = {MD5}xxxxx in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user mylogin authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group authenticate {...}
[pap] login attempt with password "mycleartextpassword"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
[...]
#######################################################################
Is there a way to tell FR to try with others attributes ?
My configuration is quite simple, here's my
sites-enabled/proxy-inner-tunnel :
server proxy-inner-tunnel {
authorize {
eap
ldap
pap
}
authenticate {
eap
pap
}
post-proxy {
eap
}
}
And the pap modules :
pap {
auto_header = yes
}
Any clue ?
Thanks
--
---------------------------
Christophe Saillard
Université de Strasbourg
Direction Informatique
---------------------------
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---------------------------
More information about the Freeradius-Users
mailing list