Check LDAP password with SHA512
Will W.
will at damagesinc.net
Tue Feb 2 21:45:55 CET 2016
it is the radiusd -X out of the radtast here are the fail and success
Success
Received Access-Accept Id 131 from 127.0.0.1:1812 to 0.0.0.0:0 via lo
length 20
[root at radius current]# radtest bind-user testing123 127.0.0.1:1812 0
testing123
shell-init: error retrieving current directory: getcwd: cannot access
parent directories: No such file or directory
Sent Access-Request Id 109 from 0.0.0.0:47510 to 127.0.0.1:1812 length 78
User-Name = "bind-user"
User-Password = "testing123"
(1) Received Access-Request Id 116 from 127.0.0.1:47073 to 127.0.0.1:1812
via lo length 78
(1) User-Name = "bind-user"
(1) User-Password = "testing123"
(1) NAS-IP-Address = 127.0.53.53
(1) NAS-Port = 0
(1) Message-Authenticator = 0x2d0e4248001ea3516c62b1cd7157e8ce
(1) Running section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(1) authorize {
rlm_ldap (ldap) - Closing connection (1): Hit idle_timeout, was idle for 73
seconds
rlm_ldap (ldap) - Closing connection (2): Hit idle_timeout, was idle for 72
seconds
rlm_ldap (ldap) - Closing connection (3): Hit idle_timeout, was idle for 72
seconds
rlm_ldap (ldap) - Closing connection (4): Hit idle_timeout, was idle for 72
seconds
rlm_ldap (ldap) - You probably need to lower "min"
rlm_ldap (ldap) - Closing connection (0): Hit idle_timeout, was idle for 69
seconds
rlm_ldap (ldap) - You probably need to lower "min"
rlm_ldap (ldap) - Closing connection (5): Hit idle_timeout, was idle for 68
seconds
rlm_ldap (ldap) - You probably need to lower "min"
(1) ldap - 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap) - Opening additional connection (6), 1 of 32 pending slots
used
rlm_ldap (ldap) - Connecting to ldaps://ldap.jumpcloud.com:636
TLS: error: the certificate '/usr/local/etc/raddb/certs/current/radius.crt'
could not be found in the database - error -5939:No more entries in the
directory.
TLS: certificate '/usr/local/etc/raddb/certs/current/radius.crt'
successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'E=noname at noname.com
,CN=radius,OU=fail,O=company,L=city,ST=CA,C=US'.
TLS: certificate [OU=Go Daddy Class 2 Certification Authority,O="The Go
Daddy Group, Inc.",C=US] is not valid - error -8172:Peer's certificate
issuer has been marked as not trusted by the user..
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
(1) ldap - Reserved connection (6)
(1) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap - --> (uid=bind-user)
(1) ldap - Performing search in "ou=Users,dc=jumpcloud,dc=com" with
filter "(uid=bind-user)", scope "sub"
(1) ldap - Waiting for search result...
(1) ldap - User object found at DN
"uid=bind-user,ou=Users,dc=jumpcloud,dc=com"
(1) ldap - Processing user attributes
(1) ldap - &control:Password-With-Header +=
{CRYPT}$6$cbea6d7932dfa76b$YgORZH6XtDXmFEDrcBnX3Ao6JDxACy.BRMTNZ8DkF0idg3cM2D3gPEHRfA05f8dQx14o/4Fi575xXJ.2yDkDA/
(1) ldap - Released connection (6)
rlm_ldap (ldap) - Need 2 more connections to reach 10 spares
rlm_ldap (ldap) - Opening additional connection (7), 1 of 31 pending slots
used
rlm_ldap (ldap) - Connecting to ldaps://ldap.jumpcloud.com:636
TLS: error: the certificate '/usr/local/etc/raddb/certs/current/radius.crt'
could not be found in the database - error -5939:No more entries in the
directory.
TLS: certificate '/usr/local/etc/raddb/certs/current/radius.crt'
successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'E=noname at noname.com
,CN=radius,OU=fail,O=company,L=city,ST=CA,C=US'.
TLS: certificate [OU=Go Daddy Class 2 Certification Authority,O="The Go
Daddy Group, Inc.",C=US] is not valid - error -8172:Peer's certificate
issuer has been marked as not trusted by the user..
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
(1) ldap (updated)
(1) pap - Converted: Password-With-Header -> Crypt-Password
(1) pap - Removing &control:Password-With-Header
(1) pap (updated)
(1) } # authorize (updated)
(1) Using 'Auth-Type = PAP' for authenticate {...}
(1) Running Auth-Type PAP from file
/usr/local/etc/raddb/sites-enabled/default
(1) Auth-Type PAP {
(1) pap - Login attempt with password
(1) pap - Comparing with "known-good" Crypt-password
(1) pap - User authenticated successfully
(1) pap (ok)
(1) } # Auth-Type PAP (ok)
(1) Running section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
(1) post-auth {
(1) update {
(1) &reply: skipped: No values available
(1) } # update (noop)
(1) exec (noop)
(1) remove_reply_message_if_eap {
(1) if (&reply:EAP-Message && &reply:Reply-Message) {
(1) ...
(1) }
(1) else {
(1) noop (noop)
(1) } # else (noop)
(1) } # remove_reply_message_if_eap (noop)
(1) } # post-auth (noop)
(1) Sent Access-Accept Id 116 from 127.0.0.1:1812 to 127.0.0.1:47073 via
lo length 0
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 116 with timestamp +72
Ready to process requests
Fail
(0) Received Access-Request Id 65 from 127.0.0.1:39452 to 127.0.0.1:1812
via lo length 76
(0) User-Name = "user"
(0) User-Password = "testing123"
(0) NAS-IP-Address = 127.0.53.53
(0) NAS-Port = 0
(0) Message-Authenticator = 0x94179f0d815d4f3a96cf008f6d3bbcf9
(0) Running section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) ldap - Reserved connection (0)
(0) ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap - --> (uid=user)
(0) ldap - Performing search in "ou=Users,dc=myhost,dc=com" with
filter "(uid=user)", scope "sub"
(0) ldap - Waiting for search result...
(0) ldap - User object found at DN "uid=user,ou=Users,dc=myhost,dc=com"
(0) ldap - Processing user attributes
(0) ldap - WARNING: No "known good" password added. Set 'identity' to
the dn of an account that has permission to read the user's password
attribute
(0) ldap - Released connection (0)
rlm_ldap (ldap) - Need 5 more connections to reach 10 spares
rlm_ldap (ldap) - Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap) - Connecting to ldaps://ldap.myhost.com:636
TLS: error: the certificate '/usr/local/etc/raddb/certs/current/radius.crt'
could not be found in the database - error -5939:No more entries in the
directory.
TLS: certificate '/usr/local/etc/raddb/certs/current/radius.crt'
successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'E=noname at noname.com
,CN=radius,OU=fail,O=company,L=city,ST=CA,C=US'.
TLS: certificate [OU=Go Daddy Class 2 Certification Authority,O="The Go
Daddy Group, Inc.",C=US] is not valid - error -8172:Peer's certificate
issuer has been marked as not trusted by the user..
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
(0) ldap (ok)
(0) pap - WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap - WARNING: Authentication will fail unless a "known good"
password is available
(0) pap (noop)
(0) } # authorize (ok)
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Running Post-Auth-Type Reject from file
/usr/local/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject - EXPAND %{User-Name}
(0) attr_filter.access_reject - --> user
(0) attr_filter.access_reject - Matched entry DEFAULT at line 11
(0) attr_filter.access_reject (updated)
(0) eap (noop)
(0) remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) ...
(0) }
(0) else {
(0) noop (noop)
(0) } # else (noop)
(0) } # remove_reply_message_if_eap (noop)
(0) } # Post-Auth-Type REJECT (updated)
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) - Sending delayed response
(0) - Sent Access-Reject Id 65 from 127.0.0.1:1812 to 127.0.0.1:39452 via
lo length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 65 with timestamp +4
Ready to process requests
On Tue, Feb 2, 2016 at 12:34 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:
> >
> > You need to provide the rest of the debug output up to the point where
> it sends an Access-Challenge.
>
> or reject
>
> -Arran
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list