are there any characters not allowed in a password used with LDAP "bind as user"?

mark.leese at stfc.ac.uk mark.leese at stfc.ac.uk
Thu Oct 21 21:52:21 CEST 2010 

Hi,

For a couple of years I've been successfully using FreeRADIUS to
authenticate some users against Active Directory using cleartext
passwords, a Perl script to do some department checking, and a simple
LDAP "bind as user".

I've now got at least one user who fails authentication, and I'm
wondering if the problem is a backslash in their password. The password
is...
w[)xg=\7k2

I can use the same username and password to successfully LDAP bind to AD
using a tool like ldapsearch from my Linux based RADIUS server, but
using RADIUS itself fails.

If it helps here's the -X debug trace:

    Wed Oct 20 15:36:19 2010 : Debug: Ready to process requests.
    rad_recv: Access-Request packet from host 172.16.80.3 port 20002,
id=9, length=135
            User-Name = "bill"
            Calling-Station-Id = "00-24-D7-40-8C-8C"
            Called-Station-Id = "00-0B-0E-DE-AB-80"
            NAS-Port = 52340
            NAS-Port-Type = Wireless-802.11
            NAS-IP-Address = 172.16.80.3
            User-Password = "w[)xg=\\7k2"
    Wed Oct 20 15:39:10 2010 : Info: +- entering group authorize {...}
    Wed Oct 20 15:39:10 2010 : Info: ++[preprocess] returns ok
    Wed Oct 20 15:39:10 2010 : Info: [auth_log]     expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/172.16.80.3/auth-detail-20101020
    Wed Oct 20 15:39:10 2010 : Info: [auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/172.16.80.3/auth-detail-20101020
    Wed Oct 20 15:39:10 2010 : Info: [auth_log]     expand: %t -> Wed
Oct 20 15:39:10 2010
    Wed Oct 20 15:39:10 2010 : Info: ++[auth_log] returns ok
    Wed Oct 20 15:39:10 2010 : Info: [ldap] performing user
authorization for bill
    Wed Oct 20 15:39:10 2010 : Info: [ldap] WARNING: Deprecated
conditional expansion ":-".  See "man unlang" for details
    Wed Oct 20 15:39:10 2010 : Info: [ldap]         expand:
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) ->
(sAMAccountName=bill)
    Wed Oct 20 15:39:10 2010 : Info: [ldap]         expand:
dc=fed,dc=foo,dc=ac,dc=uk -> dc=fed,dc=foo,dc=ac,dc=uk
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Checking
Id: 0
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: attempting LDAP
reconnection
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: (re)connect to
logonserv.fed.foo.ac.uk:389, authentication 0
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: bind as / to
logonserv.fed.foo.ac.uk:389
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: waiting for bind result
...
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: Bind was successful
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: performing search in
dc=fed,dc=foo,dc=ac,dc=uk, with filter (sAMAccountName=bill)
    Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for check items in
directory...
    Wed Oct 20 15:39:10 2010 : Info: [ldap] looking for reply items in
directory...
    Wed Oct 20 15:39:10 2010 : Debug: WARNING: No "known good" password
was found in LDAP.  Are you sure that the user is configured correctly?
    Wed Oct 20 15:39:10 2010 : Info: [ldap] Setting Auth-Type = LDAP
    Wed Oct 20 15:39:10 2010 : Info: [ldap] user bill authorized to use
remote access
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: ldap_release_conn:
Release Id: 0
    Wed Oct 20 15:39:10 2010 : Info: ++[ldap] returns ok
    Wed Oct 20 15:39:10 2010 : Info: ++[expiration] returns noop
    Wed Oct 20 15:39:10 2010 : Info: ++[logintime] returns noop
    Wed Oct 20 15:39:10 2010 : Info: [pap] WARNING! No "known good"
password found for the user.  Authentication may fail because of this.
    Wed Oct 20 15:39:10 2010 : Info: ++[pap] returns noop
    Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP)
    Wed Oct 20 15:39:10 2010 : Info: ? Evaluating (control:Auth-Type ==
LDAP) -> TRUE
    Wed Oct 20 15:39:10 2010 : Info: ++? if (control:Auth-Type == LDAP)
-> TRUE
    Wed Oct 20 15:39:10 2010 : Info: ++- entering if (control:Auth-Type
== LDAP) {...}
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port-Type
= Wireless-802.11
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair
Called-Station-Id = 00-0B-0E-DE-AB-80
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair
Calling-Station-Id = 00-24-D7-40-8C-8C
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Name =
bill
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair
NAS-Identifier = Trapeze
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair User-Password
= w[)xg=\\7k2
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair NAS-Port =
52340
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair
NAS-IP-Address = 172.16.80.3
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Auth-Type =
LDAP
    Wed Oct 20 15:39:10 2010 : Debug: rlm_perl: Added pair Ldap-UserDn =
CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk
    Wed Oct 20 15:39:10 2010 : Info: +++[perl] returns noop
    Wed Oct 20 15:39:10 2010 : Info: ++- if (control:Auth-Type == LDAP)
returns noop
    Wed Oct 20 15:39:10 2010 : Info: Found Auth-Type = LDAP
    Wed Oct 20 15:39:10 2010 : Info: +- entering group LDAP {...}
    Wed Oct 20 15:39:10 2010 : Info: [ldap] login attempt by "bill" with
password "w[)xg=\\7k2"
    Wed Oct 20 15:39:10 2010 : Info: [ldap] user DN: CN=bill,OU=Facility
Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: (re)connect to
logonserv.fed.foo.ac.uk:389, authentication 1
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: bind as
CN=bill,OU=Facility Users,OU=FBU,DC=fed,DC=foo,DC=ac,DC=uk/w[)xg=\\7k2
to logonserv.fed.foo.ac.uk:389
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: waiting for bind result
...
    Wed Oct 20 15:39:10 2010 : Debug: rlm_ldap: Bind failed with invalid
credentials
    Wed Oct 20 15:39:10 2010 : Info: ++[ldap] returns reject
    Wed Oct 20 15:39:10 2010 : Info: Failed to authenticate the user.
    Wed Oct 20 15:39:10 2010 : Auth: Login incorrect (rlm_ldap: Bind as
user failed): [bill] (from client wireless-2 port 52340 cli
00-24-D7-40-8C-8C)
    Wed Oct 20 15:39:10 2010 : Info: Using Post-Auth-Type Reject


I don't know whether the problem lies with me (for allowing a backslash
in the password in the first place) the NAS for appearing to 'escape'
the backslash (with a backslash) or the way I've configured FreeRADIUS.
Can anyone give me any pointers?

Thanks in advance of any advice,

Cheers,

Mark.

-- 
Scanned by iCritical.

More information about the Freeradius-Users mailing list