Thor Spruyt thor.spruyt at telenet.be
Thu Sep 24 15:05:06 CEST 2009


Hi,

I tried to get this working also and I found that if you let the ldap module *not* check the password_header, then the password incl. the header is put in the User-Password attribute.
If you then use auto_header = yes for the pap module, it should figure out automatically to do crypt... unless the uppercase CRYPT is causing issues...

Here's some sample debug output to check your setup:
[ldap] Password header not found in password {crypt}XXXXXXXXXXX for user test
[ldap] Added User-Password = {crypt}XXXXXXXXXXX in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap] returns ok
++- group  returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "xxxx"
[pap] Using CRYPT encryption.
[pap] User authenticated successfully
++[pap] returns ok


Regards,
Thor.


>----- Oorspronkelijk bericht -----
>Van
: wessam seleem [mailto:wessam.seleem at gmail.com]
>Verzonden
: donderdag
, september
 24, 2009 02:16 PM
>Aan
: tnt at kalik.net, 'FreeRadius users mailing list'
>Onderwerp
: Re: "known good" error
>
>Thanks Ivan for your reply. Here is the ldap configuration section:
>
>ldap {
>server = "x.x.x.x"
>identity = "cn=username"
>password = password
>basedn = "ou=email,o=data,c=eg"
>filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>password_header = "{CRYPT}"
>ldap_connections_number = 100
>timeout = 15
>timelimit = 10
>net_timeout = 5
>
>tls {
>start_tls = no
>}
>
>profile_attribute = "radiusProfileDn"
>         access_attr = "dialupAccess"
>dictionary_mapping = ${confdir}/ldap.attrmap
>password_attribute = radiususerPassword
>}
>
>
>
>and here is the debug message
>
>
>++[ldap] returns ok
>Found Auth-Type = PAP
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!    Replacing User-Password in config items with Cleartext-Password.
>!!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!! Please update your configuration so that the "known good"
>!!!
>!!! clear text password is in Cleartext-Password, and not in User-Password.
>!!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>+- entering group PAP {...}
>[pap] login attempt with password "123456"
>[pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs"
>[pap] Passwords don't match
>++[pap] returns reject
>Failed to authenticate the user.
>Using Post-Auth-Type Reject
>+- entering group REJECT {...}
>[attr_filter.access_reject]     expand: %{User-Name} -> username
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Delaying reject of request 0 for 1 seconds
>Going to the next request
>Waking up in 0.9 seconds.
>Sending delayed reject for request 0
>
>
>
>Thanks for your support.
>Wessam
>
>
>On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt at kalik.net> wrote:
>
>> >    I decided to install free radius 2.1.6-2 to test it and then to
>> upgrade
>> > my existing versions in my servers. I configured my free radius to use
>> > ldap.
>> > When I tried to authenticate from the new radius it gave me the following
>> > message "from radius -X".
>> >
>> >  Replacing User-Password in config items with Cleartext-Password.     !!!
>> >
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> > !!! Please update your configuration so that the "known good"
>> > !!!
>> > !!! clear text password is in Cleartext-Password, and not in
>> > User-Password.
>> > !!!
>> >
>> >
>> > Note that when I wrote the password encrypted  "like
>> > *%@&ksjd%@sdgsadgjhsb"
>> > I was able to login but when I wrote the password in clear text  "like
>> > test"
>> > I failed to login.
>>
>> Password in ldap probably has a header. You can ignore the message then,
>> because server will convert User-Password to appropriate password
>> attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha}
>> etc.) if auto-header is enabled. Post the whole debug.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>





More information about the Freeradius-Users mailing list