wessam seleem wessam.seleem at gmail.com
Sun Sep 27 14:34:10 CEST 2009


Dear Thor and Ivan,
         Thanks for your support. I would like to notice that I have the
same configuration in a server that has freeradius-1.1.7-1 installed and it
is working fine. I want to upgrade. That is why I am testing
freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1
and 2.1.6-2 configuration files that I should put it in my consideration?


Thor,
I don't have the same output in the debug mode. I have what you can see
below:


++[ldap] returns ok
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "password"
[pap] Using clear text password "$5 at Hfgusllj%$#kasjs"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> username
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

Dear Ivan and Thor,

As you can see the problem that I am sending a clear text password and the
radius doesn't convert it to encrypted one. I want  my radius to take a
clear
text password and encrypt it then compare it with the encrypted one in my
ldap. Please let me know if I should clarify more or if you need more info.

Thanks again for your support.
Regards,



On Thu, Sep 24, 2009 at 3:05 PM, Thor Spruyt <thor.spruyt at telenet.be> wrote:

> Hi,
>
> I tried to get this working also and I found that if you let the ldap
> module *not* check the password_header, then the password incl. the header
> is put in the User-Password attribute.
> If you then use auto_header = yes for the pap module, it should figure out
> automatically to do crypt... unless the uppercase CRYPT is causing issues...
>
> Here's some sample debug output to check your setup:
> [ldap] Password header not found in password {crypt}XXXXXXXXXXX for user
> test
> [ldap] Added User-Password = {crypt}XXXXXXXXXXX in check items
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> +++[ldap] returns ok
> ++- group  returns ok
> ++[pap] returns updated
> Found Auth-Type = PAP
> +- entering group PAP {...}
> [pap] login attempt with password "xxxx"
> [pap] Using CRYPT encryption.
> [pap] User authenticated successfully
> ++[pap] returns ok
>
>
> Regards,
> Thor.
>
>
> >----- Oorspronkelijk bericht -----
> >Van
> : wessam seleem [mailto:wessam.seleem at gmail.com]
> >Verzonden
> : donderdag
> , september
>  24, 2009 02:16 PM
> >Aan
> : tnt at kalik.net, 'FreeRadius users mailing list'
> >Onderwerp
> : Re: "known good" error
> >
> >Thanks Ivan for your reply. Here is the ldap configuration section:
> >
> >ldap {
> >server = "x.x.x.x"
> >identity = "cn=username"
> >password = password
> >basedn = "ou=email,o=data,c=eg"
> >filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> >password_header = "{CRYPT}"
> >ldap_connections_number = 100
> >timeout = 15
> >timelimit = 10
> >net_timeout = 5
> >
> >tls {
> >start_tls = no
> >}
> >
> >profile_attribute = "radiusProfileDn"
> >         access_attr = "dialupAccess"
> >dictionary_mapping = ${confdir}/ldap.attrmap
> >password_attribute = radiususerPassword
> >}
> >
> >
> >
> >and here is the debug message
> >
> >
> >++[ldap] returns ok
> >Found Auth-Type = PAP
>
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!!    Replacing User-Password in config items with Cleartext-Password.
> >!!!
>
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >!!! Please update your configuration so that the "known good"
> >!!!
> >!!! clear text password is in Cleartext-Password, and not in
> User-Password.
> >!!!
>
> >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >+- entering group PAP {...}
> >[pap] login attempt with password "123456"
> >[pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs"
> >[pap] Passwords don't match
> >++[pap] returns reject
> >Failed to authenticate the user.
> >Using Post-Auth-Type Reject
> >+- entering group REJECT {...}
> >[attr_filter.access_reject]     expand: %{User-Name} -> username
> > attr_filter: Matched entry DEFAULT at line 11
> >++[attr_filter.access_reject] returns updated
> >Delaying reject of request 0 for 1 seconds
> >Going to the next request
> >Waking up in 0.9 seconds.
> >Sending delayed reject for request 0
> >
> >
> >
> >Thanks for your support.
> >Wessam
> >
> >
> >On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt at kalik.net> wrote:
> >
> >> >    I decided to install free radius 2.1.6-2 to test it and then to
> >> upgrade
> >> > my existing versions in my servers. I configured my free radius to use
> >> > ldap.
> >> > When I tried to authenticate from the new radius it gave me the
> following
> >> > message "from radius -X".
> >> >
> >> >  Replacing User-Password in config items with Cleartext-Password.
> !!!
> >> >
> >>
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> >> > !!! Please update your configuration so that the "known good"
> >> > !!!
> >> > !!! clear text password is in Cleartext-Password, and not in
> >> > User-Password.
> >> > !!!
> >> >
> >> >
> >> > Note that when I wrote the password encrypted  "like
> >> > *%@&ksjd%@sdgsadgjhsb"
> >> > I was able to login but when I wrote the password in clear text  "like
> >> > test"
> >> > I failed to login.
> >>
> >> Password in ldap probably has a header. You can ignore the message then,
> >> because server will convert User-Password to appropriate password
> >> attribute on it's own (Crypt-Password for {crypt}, SHA-Password for
> {sha}
> >> etc.) if auto-header is enabled. Post the whole debug.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090927/a4cd1347/attachment.html>


More information about the Freeradius-Users mailing list