LDAP + CHAP
Adam Seed
adamjseed at gmail.com
Tue Mar 4 20:59:14 CET 2014
replaced with v3.0.x branch, getting a slightly different error. Im 100%
the passwords line up.
rad_recv: Access-Request packet from host 10.x.x.100 port 61392, id=49,
length=50
User-Name = 'adamjseed'
CHAP-Password = 0x79c646622409adfd85b69f1f58428f0658
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) ? if (!User-Name)
(2) ? if (!User-Name) -> FALSE
(2) ? if (User-Name != "%{tolower:%{User-Name}}")
(2) expand: "%{tolower:%{User-Name}}" -> 'adamjseed'
(2) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) ? if (User-Name =~ / /)
(2) ? if (User-Name =~ / /) -> FALSE
(2) ? if (User-Name =~ /@.*@/ )
(2) ? if (User-Name =~ /@.*@/ ) -> FALSE
(2) ? if (User-Name =~ /\\.\\./ )
(2) ? if (User-Name =~ /\\.\\./ ) -> FALSE
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(2) ? if (User-Name =~ /\\.$/)
(2) ? if (User-Name =~ /\\.$/) -> FALSE
(2) ? if (User-Name =~ /@\\./)
(2) ? if (User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) chap : Setting 'Auth-Type := CHAP'
(2) [chap] = ok
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "adamjseed", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : No EAP-Message, not doing EAP
(2) [eap] = noop
(2) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(2) ldap : expand: "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ->
'(uid=adamjseed)'
(2) ldap : expand: "dc=example,dc=com" -> 'dc=example,dc=com'
(2) ldap : Performing search in 'dc=example,dc=com' with filter
'(uid=adamjseed)', scope 'sub'
(2) ldap : Waiting for search result...
(2) ldap : User object found at DN "cn=adamjseed,ou=users,dc=example,dc=com"
(2) ldap : Processing user attributes
(2) ldap : control:Password-With-Header += 'Password01'
rlm_ldap (ldap): Released connection (4)
rlm_ldap (ldap): Closing connection (0): Too many free connections (5 > 3)
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 118
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 118
seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 118
seconds
(2) [-ldap] = ok
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap : No {...} in Password-With-Header, re-writing to Cleartext-Password
(2) WARNING: pap : Auth-Type already set. Not setting to PAP
(2) [pap] = noop
(2) } # authorize = ok
(2) Found Auth-Type = CHAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Auth-Type CHAP {
(2) chap : Login attempt by "adamjseed" with CHAP password
(2) chap : Comparing with "known good" Cleartext-Password
(2) ERROR: chap : Password is comparison failed: password is incorrect
(2) [chap] = reject
(2) } # Auth-Type CHAP = reject
(2) Failed to authenticate the user.
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Post-Auth-Type REJECT {
(2) attr_filter.access_reject : expand: "%{User-Name}" ->
'adamjseed'
(2) attr_filter.access_reject : Matched entry DEFAULT at line 11
(2) [attr_filter.access_reject] = updated
(2) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(2) [eap] = noop
(2) remove_reply_message_if_eap remove_reply_message_if_eap {
(2) ? if (reply:EAP-Message && reply:Reply-Message)
(2) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(2) else else {
(2) [noop] = noop
(2) } # else else = noop
(2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(2) } # Post-Auth-Type REJECT = updated
(2) Delaying reject of request 2 for 1 seconds
Waking up in 0.3 seconds.
On Tue, Mar 4, 2014 at 6:03 PM, Alan DeKok <aland at deployingradius.com>wrote:
> Adam Seed wrote:
> > I just tried this on radiusd: FreeRADIUS Version 3.1.0 (git #b2d5a45),
>
> Please use the v3.0.x branch from git. I've pushed a fix.
>
> The "master" branch is under heavy development, and may not always
> work correctly.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140304/60e5b61d/attachment-0001.html>
More information about the Freeradius-Users
mailing list