Doubt - Freeradius + Ldap
Eduardo Moreira
eduardomoreirars at gmail.com
Fri Nov 5 19:47:24 CET 2010
sorry, but where i checked the shared secret? in clients.conf?
if yes, secret is ok!
thanks for any help.
On 11/04/2010 09:51 AM, eduardo moreira wrote:
> SOrry about this mail Josip, but i checked again my clients.conf, and
> i put conf here for u see.
>
> clients.conf
> client 127.0.0.1 {
> secret = password
> shortname = localhost
> nastype = other # localhost isn't usually a NAS...
> }
> client 10.12.60.19 {
> secret = password
> shortname = any
> nastype = other
> }
>
> and i use this command to test connection:
> radtest username 123456 10.12.60.19 1812 0 password
>
> And i see log of debug and receive this message:
> Mon Nov 1 15:06:16 2010 : Debug: Ready to process requests.
> rad_recv: Access-Request packet from host 10.12.60.19 port 50105,
> id=100, length=73
> User-Name = "username"
> User-Password = "c\355W'\021tC\372\177R\232(\007\027n\263"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 1812
> Framed-Protocol = PPP
> Thu Nov 4 09:30:02 2010 : Debug: +- entering group authorize
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
> from preprocess (rlm_preprocess) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: ++[preprocess] returns ok
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling
> mschap (rlm_mschap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
> from mschap (rlm_mschap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: ++[mschap] returns noop
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling ldap
> (rlm_ldap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: - authorize
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing user
> authorization for username
> Thu Nov 4 09:30:02 2010 : Debug: expand: (uid=%u) -> (uid=username)
> Thu Nov 4 09:30:02 2010 : Debug: expand: dc=a,dc=a,dc=c,dc=b ->
> dc=a,dc=a,dc=c,dc=b
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in
> dc=a,dc=a,dc=c,dc=b,dc=a,dc=a,dc=c,dc=b, with filter (uid=username)
> Thu Nov 4 09:30:02 2010 : Error: rlm_ldap: ldap_search() failed: LDAP
> connection lost.
> Thu Nov 4 09:30:02 2010 : Info: rlm_ldap: Attempting reconnect
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: attempting LDAP reconnection
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: closing existing LDAP
> connection
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
> proxy.intra localhost:389, authentication 0
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: bind as
> cn=Administrator,dc=a,dc=c,dc=a,dc=c,dc=b/password to ldap.intra
> proxy.intra localhost:389
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: waiting for bind result ...
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Bind was successful
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: performing search in
> dc=a,dc=c,dc=a,dc=a,dc=c,dc=a,dc=c, with filter (uid=username)
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: Added User-Password =
> {crypt}tg/iHj5yM2iXI in check items
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: No default NMAS login sequence
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for check items in
> directory...
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute
> userPassword as RADIUS attribute Password-With-Header ==
> "{crypt}tg/iHj5yM2iXI"
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute
> sambantPassword as RADIUS attribute NT-Password ==
> 0x3738463934413643303931413730423936454135373046344341353438304531
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute
> sambalmPassword as RADIUS attribute LM-Password ==
> 0x3743414142444638393134314430423841414433423433354235313430344545
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: LDAP attribute cn as
> RADIUS attribute Group == "username"
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: looking for reply items in
> directory...
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user username authorized
> to use remote access
> Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: ldap_release_conn: Release
> Id: 0
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
> from ldap (rlm_ldap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: ++[ldap] returns ok
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling eap
> (rlm_eap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: rlm_eap: No EAP-Message, not doing EAP
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
> from eap (rlm_eap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: ++[eap] returns noop
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: calling chap
> (rlm_chap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: modsingle[authorize]: returned
> from chap (rlm_chap) for request 1
> Thu Nov 4 09:30:02 2010 : Debug: ++[chap] returns noop
> Thu Nov 4 09:30:02 2010 : Debug:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Nov 4 09:30:02 2010 : Debug: !!! Replacing User-Password in
> config items with Cleartext-Password. !!!
> Thu Nov 4 09:30:02 2010 : Debug:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Nov 4 09:30:02 2010 : Debug: !!! Please update your configuration
> so that the "known good" !!!
> Thu Nov 4 09:30:02 2010 : Debug: !!! clear text password is in
> Cleartext-Password, and not in User-Password. !!!
> Thu Nov 4 09:30:02 2010 : Debug:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Nov 4 09:30:02 2010 : Debug: auth: type Local
> Thu Nov 4 09:30:02 2010 : Debug: auth: user supplied User-Password
> does NOT match local User-Password
> Thu Nov 4 09:30:02 2010 : Debug: auth: Failed to validate the user.
> Thu Nov 4 09:30:02 2010 : Auth: Login incorrect:
> [username/c\355W'\021tC\372\177R\232(\007\027n\263] (from client any
> port 1812)
> Thu Nov 4 09:30:02 2010 : Debug: WARNING: Unprintable characters in
> the password. Double-check the shared secret on the server and
> the NAS!
> Thu Nov 4 09:30:02 2010 : Debug: Delaying reject of request 1 for 1
> seconds
> Thu Nov 4 09:30:02 2010 : Debug: Going to the next request
> Thu Nov 4 09:30:02 2010 : Debug: Waking up in 0.9 seconds.
> Thu Nov 4 09:30:03 2010 : Debug: Sending delayed reject for request 1
> Sending Access-Reject of id 100 to 10.12.60.19 port 50105
> Thu Nov 4 09:30:03 2010 : Debug: Waking up in 4.9 seconds.
> Thu Nov 4 09:30:08 2010 : Debug: Cleaning up request 1 ID 100 with
> timestamp +239035
> Thu Nov 4 09:30:08 2010 : Debug: Ready to process requests.
>
> if u see here: Thu Nov 4 09:30:02 2010 : Debug: rlm_ldap: user
> username authorized to use remote access
> my username is authorized to use, but in last line appears failed to
> validade the user ...
> Thu Nov 4 09:30:02 2010 : Debug:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Nov 4 09:30:02 2010 : Debug: !!! Replacing User-Password in
> config items with Cleartext-Password. !!!
> Thu Nov 4 09:30:02 2010 : Debug:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Nov 4 09:30:02 2010 : Debug: !!! Please update your configuration
> so that the "known good" !!!
> Thu Nov 4 09:30:02 2010 : Debug: !!! clear text password is in
> Cleartext-Password, and not in User-Password. !!!
> Thu Nov 4 09:30:02 2010 : Debug:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Thu Nov 4 09:30:02 2010 : Debug: auth: type Local
> Thu Nov 4 09:30:02 2010 : Debug: auth: user supplied User-Password
> does NOT match local User-Password
> Thu Nov 4 09:30:02 2010 : Debug: auth: Failed to validate the user.
> Thu Nov 4 09:30:02 2010 : Auth: Login incorrect:
> [username/c\355W'\021tC\372\177R\232(\007\027n\263] (from client any
> port 1812)
> Thu Nov 4 09:30:02 2010 : Debug: WARNING: Unprintable characters in
> the password. Double-check the shared secret on the server and
> the NAS!
>
> sorry josip, i chek again my clients.conf but i still dont uderstand.
>
> thanks again for u help.
>
>
>
> 2010/11/1 Josip Rodin <joy at entuzijast.net <mailto:joy at entuzijast.net>>
>
> On Tue, Nov 02, 2010 at 07:30:23AM +1300, Peter Lambrechtsen wrote:
> > It's probably since you didn't compile OpenLDAP and FreeRadius
> with OpenSSL
> > support.
> >
> > So you will need to recompile OpenLDAP, Cyrus SASL, OpenLDAP and
> FreeRadius.
>
> No, no, no, and no. <sigh>
>
> If you want to read random debug messages, don't pick just any.
>
> Yes, he doesn't have SSL support, but the log also says pretty
> clearly:
>
> > > Mon Nov 1 15:06:10 2010 : Debug: rlm_eap: No EAP-Message,
> not doing EAP
>
> When the client does not use EAP, it's completely irrelevant that
> the server
> doesn't have support for SSL-using EAP methods.
>
> And there's clearly no reason to recompile even FR, let alone
> three other
> different pieces of software. (For the former, just use
> lenny-backports.)
>
> The final error state is:
>
> > > Mon Nov 1 15:06:10 2010 : Auth: Login incorrect:
> > > [eduardo/1\320\026\305\020B)\323I\211????\001\nx\204] (from client
> > > BrasilTelecom port 1812)
> > > Mon Nov 1 15:06:10 2010 : Debug: WARNING: Unprintable
> characters in the
> > > password. Double-check the shared secret on the server and
> the NAS!
>
> So, have you double-checked the shared secret?
>
> --
> 2. That which causes joy or happiness.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101105/fe00a7c0/attachment.html>
More information about the Freeradius-Users
mailing list