LDAP + CHAP

Adam Seed adamjseed at gmail.com
Tue Mar 4 17:39:08 CET 2014


Hi,

I just tried this on radiusd: FreeRADIUS Version 3.1.0 (git #b2d5a45), for
host x86_64-unknown-linux-gnu, built on Mar  4 2014 at 11:31:20

but hitting the same error:

rad_recv: Access-Request packet from host 10.x.x.100 port 65050, id=45,
length=50
        User-Name = 'adamjseed'
        CHAP-Password = 0x64173a8adfdfb68e273ea9add77fa0e984
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(2)   authorize {
(2)   filter_username filter_username {
(2)    ? if (!User-Name)
(2)    ? if (!User-Name)  -> FALSE
(2)    ? if (User-Name != "%{tolower:%{User-Name}}")
(2)     expand: "%{tolower:%{User-Name}}" -> 'adamjseed'
(2)    ? if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(2)    ? if (User-Name =~ / /)
(2)    ? if (User-Name =~ / /)  -> FALSE
(2)    ? if (User-Name =~ /@.*@/ )
(2)    ? if (User-Name =~ /@.*@/ )  -> FALSE
(2)    ? if (User-Name =~ /\\.\\./ )
(2)    ? if (User-Name =~ /\\.\\./ )  -> FALSE
(2)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2)    ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   ->
FALSE
(2)    ? if (User-Name =~ /\\.$/)
(2)    ? if (User-Name =~ /\\.$/)   -> FALSE
(2)    ? if (User-Name =~ /@\\./)
(2)    ? if (User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2) chap : Setting 'Auth-Type := CHAP'
(2)   [chap] = ok
(2)   [mschap] = noop
(2)   [digest] = noop
(2) suffix : No '@' in User-Name = "adamjseed", looking up realm NULL
(2) suffix : No such realm "NULL"
(2)   [suffix] = noop
(2) eap : No EAP-Message, not doing EAP
(2)   [eap] = noop
(2)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(2) ldap :      expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ->
'(uid=adamjseed)'
(2) ldap :      expand: "dc=example,dc=com" -> 'dc=example,dc=com'
(2) ldap : Performing search in 'dc=example,dc=com' with filter
'(uid=adamjseed)', scope 'sub'
(2) ldap : Waiting for search result...
(2) ldap : User object found at DN "cn=adamjseed,ou=users,dc=example,dc=com"
(2) ldap : Processing user attributes
(2) ldap :      control:Password-With-Header += 'Password01'
rlm_ldap (ldap): Released connection (4)
(2)   [-ldap] = ok
(2)   [expiration] = noop
(2)   [logintime] = noop
(2) WARNING: pap : Auth-Type already set.  Not setting to PAP
(2)   [pap] = noop
(2)  } #  authorize = ok
(2) Found Auth-Type = CHAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)  Auth-Type CHAP {
(2) chap : Login attempt by "adamjseed" with CHAP password
(2) ERROR: chap : Cleartext password is required for authentication
(2)   [chap] = invalid
(2)  } # Auth-Type CHAP = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2)  Post-Auth-Type REJECT {
(2) attr_filter.access_reject :         expand: "%{User-Name}" ->
'adamjseed'
(2) attr_filter.access_reject : Matched entry DEFAULT at line 11
(2)   [attr_filter.access_reject] = updated
(2) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(2)   [eap] = noop
(2)   remove_reply_message_if_eap remove_reply_message_if_eap {
(2)    ? if (reply:EAP-Message && reply:Reply-Message)
(2)    ? if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(2)    else else {
(2)     [noop] = noop
(2)    } # else else = noop
(2)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(2)  } # Post-Auth-Type REJECT = update


On Mon, Mar 3, 2014 at 10:01 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
> On 3 Mar 2014, at 20:15, Adam Seed <adamjseed at gmail.com> wrote:
>
> > Finally got that working - Thanks Alan. Are there any plans to put this
> assumption in version 3?
>
> Done.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140304/e0ee38d5/attachment-0001.html>


More information about the Freeradius-Users mailing list