Problem with freeradius and LDAP: crypt and MD5 password

Ana Gallardo Gómez anaougu at gmail.com
Fri Apr 10 12:37:45 CEST 2015


Hello!

Sorry for my english.

I'm working with freeradius FreeRADIUS Version 2.1.12

Sorry to ask again about this, I have been looking for the solution, but I
can't resolve my problem.

I have a LDAP server with users password in crypt for PDI and PAS and in
MD5 for students.

The password in LDAP for an user is only available when you do bind with
that user.

I can see here that you can get the authentication result from the bind
result

http://confluence.diamond.ac.uk/display/PAAUTH/Using+LDAP+as+authentication+source

¿Is this function available in freeradius 2.1.12?

Meanwhile I try to do bind whit my user (PAS - crypt password in
userPassword attribute in LDAP) and authenticate whith a clear text
password, but I can't auth...

My config:


# cat /etc/freeradius/sites-enabled/rinuex_email
server rinuex_email {
  authorize {
    suffix
    files
    ldapemail
    pap
  }

  authenticate {
    Auth-Type PAP {
      pap
    }
  }

  post-auth {
    sql_log

    Post-Auth-Type REJECT {
      sql_log
    }
  }
}

# cat /etc/freeradius/modules-enabled/ldap
ldap ldapemail {

  server = "ldap.unex.es"
  identity = "uid=aigallardo,ou=people,dc=unex,dc=es"
  password = "XXXX"
  basedn = "ou=people,dc=unex,dc=es"
  filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

  password_attribute = userPassword

  ldap_connections_number = 5
  timeout = 4
  timelimit = 3
  net_timeout = 1

  tls {
    start_tls = no
  }

#  dictionary_mapping = ${confdir}/ldap.attrmap.email

  edir_account_policy_check = no
  set_auth_type = yes
}

My log:

rad_recv: Access-Request packet from host 158.49.245.14 port 50406, id=16,
length=62
    User-Name = "aigallardo at unex.es"
    Vendor-Specific = 0x00000000020a3035303837372b2b
    NAS-IP-Address = 158.49.245.14
Fri Apr 10 11:37:38 2015 : Info: server rinuex_email {
Fri Apr 10 11:37:38 2015 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/rinuex_email
Fri Apr 10 11:37:38 2015 : Info: +- entering group authorize {...}
Fri Apr 10 11:37:38 2015 : Info: [suffix] Looking up realm "unex.es" for
User-Name = "aigallardo at unex.es"
Fri Apr 10 11:37:38 2015 : Info: [suffix] Found realm "unex.es"
Fri Apr 10 11:37:38 2015 : Info: [suffix] Adding Stripped-User-Name =
"aigallardo"
Fri Apr 10 11:37:38 2015 : Info: [suffix] Adding Realm = "unex.es"
Fri Apr 10 11:37:38 2015 : Info: [suffix] Authentication realm is LOCAL.
Fri Apr 10 11:37:38 2015 : Info: ++[suffix] returns ok
Fri Apr 10 11:37:38 2015 : Info: [files] users: Matched entry DEFAULT at
line 42
Fri Apr 10 11:37:38 2015 : Info: ++[files] returns ok
Fri Apr 10 11:37:38 2015 : Info: [ldapemail] performing user authorization
for aigallardo
Fri Apr 10 11:37:38 2015 : Info: [ldapemail]     expand:
%{Stripped-User-Name} -> aigallardo
Fri Apr 10 11:37:38 2015 : Info: [ldapemail]     expand:
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=aigallardo)
Fri Apr 10 11:37:38 2015 : Info: [ldapemail]     expand:
ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] ldap_get_conn: Checking Id:
0
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] ldap_get_conn: Got Id: 0
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] attempting LDAP reconnection
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] (re)connect to
ldap.unex.es:389, authentication 0
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] bind as
uid=aigallardo,ou=people,dc=unex,dc=es/XXXX to ldap.unex.es:389
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] waiting for bind result ...
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] Bind was successful
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] performing search in
ou=people,dc=unex,dc=es, with filter (uid=aigallardo)
Fri Apr 10 11:37:38 2015 : Info: [ldapemail] Added User-Password =
{crypt}XXXXXXXXXXXX in check items
Fri Apr 10 11:37:38 2015 : Info: [ldapemail] No default NMAS login sequence
Fri Apr 10 11:37:38 2015 : Info: [ldapemail] looking for check items in
directory...
Fri Apr 10 11:37:38 2015 : Info: [ldapemail] looking for reply items in
directory...
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] sn -> Nombre-Completo =
"gallardo gomez"
Fri Apr 10 11:37:38 2015 : Info: [ldapemail] user aigallardo authorized to
use remote access
Fri Apr 10 11:37:38 2015 : Debug:   [ldapemail] ldap_release_conn: Release
Id: 0
Fri Apr 10 11:37:38 2015 : Info: ++[ldapemail] returns ok
Fri Apr 10 11:37:38 2015 : Info: [pap] No clear-text password in the
request.  Not performing PAP.
Fri Apr 10 11:37:38 2015 : Info: ++[pap] returns noop
Fri Apr 10 11:37:38 2015 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Fri Apr 10 11:37:38 2015 : Info: !!!    Replacing User-Password in config
items with Cleartext-Password.     !!!
Fri Apr 10 11:37:38 2015 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Fri Apr 10 11:37:38 2015 : Info: !!! Please update your configuration so
that the "known good"               !!!
Fri Apr 10 11:37:38 2015 : Info: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Fri Apr 10 11:37:38 2015 : Info:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Fri Apr 10 11:37:38 2015 : Info: WARNING: Please update your configuration,
and remove 'Auth-Type = Local'
Fri Apr 10 11:37:38 2015 : Info: WARNING: Use the PAP or CHAP modules
instead.
Fri Apr 10 11:37:38 2015 : Info: No User-Password or CHAP-Password
attribute in the request.
Fri Apr 10 11:37:38 2015 : Info: Cannot perform authentication.
Fri Apr 10 11:37:38 2015 : Info: Failed to authenticate the user.
Fri Apr 10 11:37:38 2015 : Info: } # server rinuex_email
Fri Apr 10 11:37:38 2015 : Info: Using Post-Auth-Type Reject


I would like to auth my users with clear-text passwords and with EAP
(TTLS+PAP).

What do you think that is the best option in my case?


Thank you very much in advance.

-- 
::::::::::::::::::::::::::::::::::::
:: Ana Gallardo Gómez ::
::::::::::::::::::::::::::::::::::::


More information about the Freeradius-Users mailing list