FR 3.0 with eDir

Hubert Kupper kupper at uni-landau.de
Wed Dec 18 09:56:04 CET 2013 

Am 17.12.2013 17:06, schrieb Arran Cudbard-Bell:
> On 17 Dec 2013, at 14:38, Olivier Beytrison <olivier at heliosnet.org> wrote:
>
>> On 17.12.2013 13:38, Hubert Kupper wrote:
>>> Am 17.12.2013 12:22, schrieb Arran Cudbard-Bell:
>>> rlm_ldap (ldap): Reserved connection (0)
>>> (1) ldap :      expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" ->
>>> '(cn=foo)'
>>> (1) ldap :      expand: "o=org" -> 'o=org'
>>> (1) ldap : Performing search in 'o=org' with filter '(cn=foo)'
>>> (1) ldap : Waiting for search result...
>>> (1) ldap : User object found at DN "cn=foo,ou=test,o=org"
>>> (1) ERROR: ldap : Failed to retrieve eDirectory password: (80) Other
>>> (e.g., implementation specific) error
>>> rlm_ldap (ldap): Released connection (0)
>>> rlm_ldap (ldap): Opening additional connection (1)
>>> rlm_ldap (ldap): Connecting to 192.168.1.35:389
>> 389 ???? you're not using ldaps ? IIRC Novell doesn't allow the NMAS
>> Password retrieval over a non secure channel
>>
>> Try using a ldaps connection !
> Or enable start TLS.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
Bingo. You are right. When I use ldaps the ldap bind was successful now. 
With FR 2.x on OpenSuse 12.3 ldap and ldaps work both.
By the way now I get the following error:

server inner-tunnel {
(9) # Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
(9)   authorize {
(9)   [chap] = noop
(9)   [mschap] = noop
(9) suffix : No '@' in User-Name = "dumm", looking up realm NULL
(9) suffix : Found realm "NULL"
(9) suffix : Adding Stripped-User-Name = "dumm"
(9) suffix : Adding Realm = "NULL"
(9) suffix : Authentication realm is LOCAL
(9)   [suffix] = ok
(9)   update control {
(9)             Proxy-To-Realm := 'LOCAL'
(9)   } # update control = noop
(9) eap : EAP packet type response id 11 length 63
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9)   [eap] = updated
(9)   [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(9) ldap :      expand: "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" -> 
'(cn=dumm)'
(9) ldap :      expand: "o=org" -> 'o=org'
(9) ldap : Performing search in 'o=org' with filter '(cn=dumm)'
(9) ldap : Waiting for search result...
(9) ldap : User object found at DN "cn=Dumm,ou=test1,ou=test,o=org"
(9) ldap : Added eDirectory password in check items as 
Cleartext-Password = pwddummy
(9) ldap : Binding as user for eDirectory authorization checks
(9) ldap : Waiting for bind result...
(9) ldap : Bind successful
(9) ldap : Bind as user "cn=Dumm,ou=test1,ou=test,o=org" was successful
rlm_ldap (ldap): Released connection (2)
(9)   [ldap] = ok
(9)   [expiration] = noop
(9)   [logintime] = noop
(9) WARNING: pap : Auth-Type already set.  Not setting to PAP
(9)   [pap] = noop
(9)  } #  authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)   authenticate {
(9) eap : Expiring EAP session with state 0xa4e4c03ea4efda08
(9) eap : Finished EAP session with state 0xa4e4c03ea4efda08
(9) eap : Previous EAP request found for state 0xa4e4c03ea4efda08, 
released from the list
(9) eap : Peer sent MSCHAPv2 (26)
(9) eap : EAP MSCHAPv2 (26)
(9) eap : Calling eap_mschapv2 to process EAP data
(9) eap_mschapv2 : # Executing group from file 
/etc/raddb/sites-enabled/inner-tunnel
(9) eap_mschapv2 :  Auth-Type MS-CHAP {
(9) mschap : Creating challenge hash with username: dumm
(9) mschap : Client is using MS-CHAPv2 for dumm, we need NT-Password
(9) mschap : FAILED: MS-CHAP2-Response is incorrect
(9)   [mschap] = reject
(9)  } # Auth-Type MS-CHAP = reject
(9) eap : Freeing handler
(9)   [eap] = reject
(9)  } #  authenticate = reject
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9)  Post-Auth-Type REJECT {
(9) ldap :      expand: "." -> '.'
(9) ldap :      expand: "Authenticated at %S" -> 'Authenticated at 
2013-12-18 09:16:37'
rlm_ldap (ldap): Reserved connection (2)
(9) ldap : Using user DN from request "cn=Dumm,ou=test1,ou=test,o=org"
(9) ldap : Waiting for bind result...
(9) ldap : Bind successful
(9) ldap : Modifying object with DN "cn=Dumm,ou=test1,ou=test,o=org"
(9) ldap : Waiting for modify result...
rlm_ldap (ldap): Released connection (2)
(9)   [ldap] = reject
(9)  } # Post-Auth-Type REJECT = reject
} # server inner-tunnel
(9) eap_peap : Got tunneled reply code 3
         MS-CHAP-Error = '\013E=691 R=1'
         EAP-Message = 0x040b0004
         Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap : Got tunneled reply RADIUS code 3
         MS-CHAP-Error = '\013E=691 R=1'
         EAP-Message = 0x040b0004
         Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap : Tunneled authentication was rejected
(9) eap_peap : FAILURE
(9) eap : New EAP session, adding 'State' attribute to reply 
0x4c9dbfee4591a60a
(9)   [eap] = handled
(9)  } #  authenticate = handled
Sending Access-Challenge of id 121 from 139.14.1.56 port 1812 to 
139.14.200.6 port 32770
         EAP-Message = 
0x010c002b1900170301002042ce42556a179e73d4a55cd52bbf954cb5b0bce96996e4442f472d1e5257185a
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x4c9dbfee4591a60a5d313de2c42289f5
(9) Finished request 9.

(10) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP 
sub-module failed

Hubert

More information about the Freeradius-Users mailing list