When using DOUBLE_QUOTED_STRING, passwords with '\"' may not work
g4-lisz at tonarchiv.ch
g4-lisz at tonarchiv.ch
Tue Sep 12 06:48:47 UTC 2023
I think everyone lost track.
As Alain said, it's exactly like in the Shell etc.
If the UNESCAPED password is pass\\"word at 2022 the escaped password should be pass\\\\\"word at 2022 (5 backslashes).
September 12, 2023 6:36 AM, "平林 哲" <Satoshi.Hirabayashi at soliton.co.jp> wrote:
> sorry.
> There was a mistake when pasting.
>
> I will correct it below.
>
> Checking the packet at this time with wireshark, we can confirm that
> `pass\\"word at 2022` is used as the password.
>
> ===
> Lightweight Directory Access Protocol
> LDAPMessage bindRequest(1)
> "cn=tkt10886-5,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp"
> simple
> messageID: 1
> protocolOp: bindRequest (0)
> bindRequest
> version: 3
> name:
> cn=tkt10886-5,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp
> authentication: simple (0)
> simple: pass\\"word at 2022
> [Response In: 8]
> ===
>
> What should I do in this case?
>
> On 2023/09/12 9:59, 平林 哲 wrote:
>
>>>> Maybe the two backslashes need to be escaped into one backslash?
>>>
>>> I explained the rules for double-quoted strings. They're the same
>> for all double quoted strings in FreeRADIUS, and in the shell.
>>>
>>> If you want a " in the middle of a double quoted string, you have
>> to escape it: \"
>>>
>>> If you want a \ in the middle of a double quoted string, you have
>> to escape it: \\
>>>
>>> Which means that if you want *both* a " and a \ in a double quoted
>> string, you need to have an *odd* number of backslashes.
>>>
>>> All you need to do is count the number of backslashes. Even *and*
>> there's a quote in the middle of the string? Parse error. Odd number
>> of backslashes? It's fine.
>>
>> OK.
>>
>> I understand the configuration.
>>
>> Please let me confirm the password to be sent next.
>>
>> Register a user in ActiveDirectory with the password "pass\"word at 2022",
>> the following LDAP settings.
>>
>> ===
>> ldap {
>> server = '192.168.1.6'
>> identity =
>> 'cn=tkt10886-5,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
>> password = "pass\\\"word at 2022"
>> ===
>>
>> If you start with this configuration, the password verification will fail.
>>
>> ===
>> # /usr/local/sbin/radiusd -X
>> FreeRADIUS Version 3.2.3
>> Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License
>> For more information about these matters, see the file named COPYRIGHT
>> Starting - reading configuration files ...
>> including dictionary file /usr/local/share/freeradius/dictionary
>> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
>> including dictionary file /usr/local/share/freeradius/dictionary.vqp
>> including dictionary file /usr/local/etc/raddb/dictionary
>> including configuration file /usr/local/etc/raddb/radiusd.conf
>> including configuration file /usr/local/etc/raddb/proxy.conf
>> including configuration file /usr/local/etc/raddb/clients.conf
>> including files in directory /usr/local/etc/raddb/mods-enabled/
>> including configuration file
>> /usr/local/etc/raddb/mods-enabled/dynamic_clients
>> including configuration file /usr/local/etc/raddb/mods-enabled/realm
>> including configuration file /usr/local/etc/raddb/mods-enabled/chap
>> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
>> including configuration file /usr/local/etc/raddb/mods-enabled/date
>> including configuration file /usr/local/etc/raddb/mods-enabled/exec
>> including configuration file /usr/local/etc/raddb/mods-enabled/unix
>> including configuration file /usr/local/etc/raddb/mods-enabled/expr
>> including configuration file /usr/local/etc/raddb/mods-enabled/totp
>> including configuration file /usr/local/etc/raddb/mods-enabled/always
>> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
>> including configuration file /usr/local/etc/raddb/mods-enabled/ldap1
>> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
>> including configuration file /usr/local/etc/raddb/mods-enabled/files
>> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
>> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>> including configuration file /usr/local/etc/raddb/mods-enabled/digest
>> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
>> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
>> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
>> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
>> including configuration file /usr/local/etc/raddb/mods-enabled/soh
>> including configuration file /usr/local/etc/raddb/mods-enabled/detail
>> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
>> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
>> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
>> including configuration file /usr/local/etc/raddb/mods-enabled/eap
>> including configuration file /usr/local/etc/raddb/mods-enabled/pap
>> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
>> including configuration file /usr/local/etc/raddb/mods-enabled/echo
>> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
>> including files in directory /usr/local/etc/raddb/policy.d/
>> including configuration file /usr/local/etc/raddb/policy.d/accounting
>> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
>> including configuration file /usr/local/etc/raddb/policy.d/rfc7542
>> including configuration file /usr/local/etc/raddb/policy.d/cui
>> including configuration file /usr/local/etc/raddb/policy.d/filter
>> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
>> including configuration file /usr/local/etc/raddb/policy.d/dhcp
>> including configuration file /usr/local/etc/raddb/policy.d/operator-name
>> including configuration file /usr/local/etc/raddb/policy.d/debug
>> including configuration file /usr/local/etc/raddb/policy.d/eap
>> including configuration file /usr/local/etc/raddb/policy.d/control
>> including configuration file
>> /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
>> including files in directory /usr/local/etc/raddb/sites-enabled/
>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>> including configuration file
>> /usr/local/etc/raddb/sites-enabled/inner-tunnel
>> main {
>> security {
>> allow_core_dumps = no
>> }
>> name = "radiusd"
>> prefix = "/usr/local"
>> localstatedir = "/usr/local/var"
>> logdir = "/usr/local/var/log/radius"
>> run_dir = "/usr/local/var/run/radiusd"
>> }
>> main {
>> name = "radiusd"
>> prefix = "/usr/local"
>> localstatedir = "/usr/local/var"
>> sbindir = "/usr/local/sbin"
>> logdir = "/usr/local/var/log/radius"
>> run_dir = "/usr/local/var/run/radiusd"
>> libdir = "/usr/local/lib"
>> radacctdir = "/usr/local/var/log/radius/radacct"
>> hostname_lookups = no
>> max_request_time = 30
>> cleanup_delay = 5
>> max_requests = 16384
>> postauth_client_lost = no
>> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>> checkrad = "/usr/local/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = yes
>> log {
>> stripped_names = no
>> auth = no
>> auth_badpass = no
>> auth_goodpass = no
>> colourise = yes
>> msg_denied = "You are already logged in - access denied"
>> }
>> resources {
>> }
>> security {
>> max_attributes = 200
>> reject_delay = 1.000000
>> status_server = yes
>> allow_vulnerable_openssl = "no"
>> }
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>> proxy server {
>> retry_delay = 5
>> retry_count = 3
>> default_fallback = no
>> dead_time = 120
>> wake_all_if_all_dead = no
>> }
>> home_server localhost {
>> nonblock = no
>> ipaddr = 127.0.0.1
>> port = 1812
>> type = "auth"
>> secret = <<< secret >>>
>> response_window = 20.000000
>> response_timeouts = 1
>> max_outstanding = 65536
>> zombie_period = 40
>> status_check = "status-server"
>> ping_interval = 30
>> check_interval = 30
>> check_timeout = 4
>> num_answers_to_alive = 3
>> revive_interval = 120
>> limit {
>> max_connections = 16
>> max_requests = 0
>> lifetime = 0
>> idle_timeout = 0
>> }
>> coa {
>> irt = 2
>> mrt = 16
>> mrc = 5
>> mrd = 30
>> }
>> recv_coa {
>> }
>> }
>> home_server_pool my_auth_failover {
>> type = fail-over
>> home_server = localhost
>> }
>> realm example.com {
>> auth_pool = my_auth_failover
>> }
>> realm LOCAL {
>> }
>> radiusd: #### Loading Clients ####
>> client localhost {
>> ipaddr = 127.0.0.1
>> require_message_authenticator = no
>> secret = <<< secret >>>
>> nas_type = "other"
>> proto = "*"
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> client localhost_ipv6 {
>> ipv6addr = ::1
>> require_message_authenticator = no
>> secret = <<< secret >>>
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> client naeps245 {
>> ipaddr = 192.168.1.245
>> require_message_authenticator = no
>> secret = <<< secret >>>
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> Debugger not attached
>> # Creating Auth-Type = mschap
>> # Creating Auth-Type = digest
>> # Creating Auth-Type = eap
>> # Creating Auth-Type = PAP
>> # Creating Auth-Type = CHAP
>> # Creating Auth-Type = MS-CHAP
>> # Creating Autz-Type = New-TLS-Connection
>> # Creating Post-Auth-Type = Client-Lost
>> radiusd: #### Instantiating modules ####
>> modules {
>> # Loaded module rlm_dynamic_clients
>> # Loading module "dynamic_clients" from file
>> /usr/local/etc/raddb/mods-enabled/dynamic_clients
>> # Loaded module rlm_realm
>> # Loading module "IPASS" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm IPASS {
>> format = "prefix"
>> delimiter = "/"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "suffix" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm suffix {
>> format = "suffix"
>> delimiter = "@"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "bangpath" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm bangpath {
>> format = "prefix"
>> delimiter = "!"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "realmpercent" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm realmpercent {
>> format = "suffix"
>> delimiter = "%"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "ntdomain" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm ntdomain {
>> format = "prefix"
>> delimiter = "\\"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loaded module rlm_chap
>> # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>> # Loaded module rlm_utf8
>> # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>> # Loaded module rlm_date
>> # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>> date {
>> format = "%b %e %Y %H:%M:%S %Z"
>> utc = no
>> }
>> # Loading module "wispr2date" from file
>> /usr/local/etc/raddb/mods-enabled/date
>> date wispr2date {
>> format = "%Y-%m-%dT%H:%M:%S"
>> utc = no
>> }
>> # Loaded module rlm_exec
>> # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>> exec {
>> wait = no
>> input_pairs = "request"
>> shell_escape = yes
>> timeout = 10
>> }
>> # Loaded module rlm_unix
>> # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>> unix {
>> radwtmp = "/usr/local/var/log/radius/radwtmp"
>> }
>> Creating attribute Unix-Group
>> # Loaded module rlm_expr
>> # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>> expr {
>> safe_characters =
>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> /aeouaaaceeeeiio?uuuayAEOUsAAACEEEEIIO?UUU?"
>> }
>> # Loaded module rlm_always
>> # Loading module "reject" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always reject {
>> rcode = "reject"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "fail" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always fail {
>> rcode = "fail"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>> always ok {
>> rcode = "ok"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "handled" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always handled {
>> rcode = "handled"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "invalid" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always invalid {
>> rcode = "invalid"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "userlock" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always userlock {
>> rcode = "userlock"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "notfound" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always notfound {
>> rcode = "notfound"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "noop" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always noop {
>> rcode = "noop"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "updated" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always updated {
>> rcode = "updated"
>> simulcount = 0
>> mpp = no
>> }
>> # Loaded module rlm_preprocess
>> # Loading module "preprocess" from file
>> /usr/local/etc/raddb/mods-enabled/preprocess
>> preprocess {
>> huntgroups =
>> "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>> hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>> with_ascend_hack = no
>> ascend_channels_per_line = 23
>> with_ntdomain_hack = no
>> with_specialix_jetstream_hack = no
>> with_cisco_vsa_hack = no
>> with_alvarion_vsa_hack = no
>> }
>> # Loaded module rlm_ldap
>> # Loading module "ldap" from file
>> /usr/local/etc/raddb/mods-enabled/ldap1
>> ldap {
>> server = "192.168.1.6"
>> identity =
>> "cn=tkt10886-5,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp"
>> password = <<< secret >>>
>> sasl {
>> }
>> user_dn = "LDAP-UserDn"
>> user {
>> scope = "sub"
>> access_positive = yes
>> sasl {
>> }
>> }
>> group {
>> scope = "sub"
>> name_attribute = "cn"
>> cacheable_name = no
>> cacheable_dn = no
>> allow_dangling_group_ref = no
>> }
>> client {
>> scope = "sub"
>> base_dn = ""
>> }
>> profile {
>> }
>> options {
>> ldap_debug = 0
>> net_timeout = 10
>> res_timeout = 20
>> srv_timelimit = 20
>> idle = 60
>> probes = 3
>> interval = 30
>> }
>> tls {
>> check_crl = no
>> start_tls = no
>> }
>> }
>> Creating attribute LDAP-Group
>> # Loaded module rlm_logintime
>> # Loading module "logintime" from file
>> /usr/local/etc/raddb/mods-enabled/logintime
>> logintime {
>> minimum_timeout = 60
>> }
>> # Loaded module rlm_files
>> # Loading module "files" from file
>> /usr/local/etc/raddb/mods-enabled/files
>> files {
>> filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>> acctusersfile =
>> "/usr/local/etc/raddb/mods-config/files/accounting"
>> preproxy_usersfile =
>> "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>> }
>> # Loaded module rlm_radutmp
>> # Loading module "radutmp" from file
>> /usr/local/etc/raddb/mods-enabled/radutmp
>> radutmp {
>> filename = "/usr/local/var/log/radius/radutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> permissions = 384
>> caller_id = yes
>> }
>> # Loading module "ntlm_auth" from file
>> /usr/local/etc/raddb/mods-enabled/ntlm_auth
>> exec ntlm_auth {
>> wait = yes
>> program = "/path/to/ntlm_auth --request-nt-key
>> --domain=MYDOMAIN --username=%{mschap:User-Name}
>> --password=%{User-Password}"
>> shell_escape = yes
>> }
>> # Loaded module rlm_digest
>> # Loading module "digest" from file
>> /usr/local/etc/raddb/mods-enabled/digest
>> # Loading module "sradutmp" from file
>> /usr/local/etc/raddb/mods-enabled/sradutmp
>> radutmp sradutmp {
>> filename = "/usr/local/var/log/radius/sradutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> permissions = 420
>> caller_id = no
>> }
>> # Loaded module rlm_replicate
>> # Loading module "replicate" from file
>> /usr/local/etc/raddb/mods-enabled/replicate
>> # Loaded module rlm_unpack
>> # Loading module "unpack" from file
>> /usr/local/etc/raddb/mods-enabled/unpack
>> # Loaded module rlm_detail
>> # Loading module "auth_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail auth_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-deta
>> l-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loading module "reply_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail reply_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-det
>> il-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loading module "pre_proxy_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail pre_proxy_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy
>> detail-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loading module "post_proxy_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail post_proxy_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-prox
>> -detail-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loaded module rlm_soh
>> # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>> soh {
>> dhcp = yes
>> }
>> # Loading module "detail" from file
>> /usr/local/etc/raddb/mods-enabled/detail
>> detail {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y
>> m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loaded module rlm_attr_filter
>> # Loading module "attr_filter.post-proxy" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.post-proxy {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>> key = "%{Realm}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.pre-proxy" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.pre-proxy {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>> key = "%{Realm}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.access_reject" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.access_reject {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.access_challenge" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.access_challenge {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.accounting_response" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.accounting_response {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.coa" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.coa {
>> filename = "/usr/local/etc/raddb/mods-config/attr_filter/coa"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loaded module rlm_linelog
>> # Loading module "linelog" from file
>> /usr/local/etc/raddb/mods-enabled/linelog
>> linelog {
>> filename = "/usr/local/var/log/radius/linelog"
>> escape_filenames = no
>> syslog_severity = "info"
>> permissions = 384
>> format = "This is a log message for %{User-Name}"
>> reference = "messages.%{%{reply:Packet-Type}:-default}"
>> }
>> # Loading module "log_accounting" from file
>> /usr/local/etc/raddb/mods-enabled/linelog
>> linelog log_accounting {
>> filename = "/usr/local/var/log/radius/linelog-accounting"
>> escape_filenames = no
>> syslog_severity = "info"
>> permissions = 384
>> format = ""
>> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>> }
>> # Loaded module rlm_expiration
>> # Loading module "expiration" from file
>> /usr/local/etc/raddb/mods-enabled/expiration
>> # Loaded module rlm_eap
>> # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>> eap {
>> default_eap_type = "md5"
>> timer_expire = 60
>> max_eap_type = 52
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> max_sessions = 16384
>> }
>> # Loaded module rlm_pap
>> # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>> pap {
>> normalise = yes
>> }
>> # Loaded module rlm_passwd
>> # Loading module "etc_passwd" from file
>> /usr/local/etc/raddb/mods-enabled/passwd
>> passwd etc_passwd {
>> filename = "/etc/passwd"
>> format = "*User-Name:Crypt-Password:"
>> delimiter = ":"
>> ignore_nislike = no
>> ignore_empty = yes
>> allow_multiple_keys = no
>> hash_size = 100
>> }
>> # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>> exec echo {
>> wait = yes
>> program = "/bin/echo %{User-Name}"
>> input_pairs = "request"
>> output_pairs = "reply"
>> shell_escape = yes
>> }
>> # Loaded module rlm_mschap
>> # Loading module "mschap" from file
>> /usr/local/etc/raddb/mods-enabled/mschap
>> mschap {
>> use_mppe = yes
>> require_encryption = no
>> require_strong = no
>> with_ntdomain_hack = yes
>> passchange {
>> }
>> allow_retry = yes
>> winbind_retry_with_normalised_username = no
>> }
>> instantiate {
>> }
>> # Instantiating module "IPASS" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "suffix" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "bangpath" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "realmpercent" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "ntdomain" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "reject" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "fail" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "ok" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "handled" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "invalid" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "userlock" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "notfound" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "noop" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "updated" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "preprocess" from file
>> /usr/local/etc/raddb/mods-enabled/preprocess
>> reading pairlist file
>> /usr/local/etc/raddb/mods-config/preprocess/huntgroups
>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>> # Instantiating module "ldap" from file
>> /usr/local/etc/raddb/mods-enabled/ldap1
>> rlm_ldap: libldap vendor: OpenLDAP, version: 20457
>> rlm_ldap (ldap): Couldn't find configuration for accounting, will return
>> NOOP for calls from this section
>> rlm_ldap (ldap): Couldn't find configuration for post-auth, will return
>> NOOP for calls from this section
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
>> !! There may be random issues with TLS connections due to this conflict.
>> !! The server may also crash.
>> !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information.
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> rlm_ldap (ldap): Initialising connection pool
>> pool {
>> start = 5
>> min = 3
>> max = 32
>> spare = 10
>> uses = 0
>> lifetime = 0
>> cleanup_interval = 30
>> idle_timeout = 60
>> retry_delay = 30
>> max_retries = 5
>> spread = no
>> }
>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
>> slots used
>> rlm_ldap (ldap): Connecting to ldap://192.168.1.6:389
>> rlm_ldap (ldap): Waiting for bind result...
>> rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
>> rlm_ldap (ldap): Server said: 80090308: LdapErr: DSID-0C090569, comment:
>> AcceptSecurityContext error, data 52e, v4f7c.
>> rlm_ldap (ldap): Opening connection failed (0)
>> rlm_ldap (ldap): Removing connection pool
>> /usr/local/etc/raddb/mods-enabled/ldap1[1]: Instantiation failed for
>> module "ldap"
>> root at debian11-hira:/usr/local/etc/raddb# /usr/local/sbin/radiusd -X
>> FreeRADIUS Version 3.2.3
>> Copyright (C) 1999-2022 The FreeRADIUS server project and contributors
>> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>> PARTICULAR PURPOSE
>> You may redistribute copies of FreeRADIUS under the terms of the
>> GNU General Public License
>> For more information about these matters, see the file named COPYRIGHT
>> Starting - reading configuration files ...
>> including dictionary file /usr/local/share/freeradius/dictionary
>> including dictionary file /usr/local/share/freeradius/dictionary.dhcp
>> including dictionary file /usr/local/share/freeradius/dictionary.vqp
>> including dictionary file /usr/local/etc/raddb/dictionary
>> including configuration file /usr/local/etc/raddb/radiusd.conf
>> including configuration file /usr/local/etc/raddb/proxy.conf
>> including configuration file /usr/local/etc/raddb/clients.conf
>> including files in directory /usr/local/etc/raddb/mods-enabled/
>> including configuration file
>> /usr/local/etc/raddb/mods-enabled/dynamic_clients
>> including configuration file /usr/local/etc/raddb/mods-enabled/realm
>> including configuration file /usr/local/etc/raddb/mods-enabled/chap
>> including configuration file /usr/local/etc/raddb/mods-enabled/utf8
>> including configuration file /usr/local/etc/raddb/mods-enabled/date
>> including configuration file /usr/local/etc/raddb/mods-enabled/exec
>> including configuration file /usr/local/etc/raddb/mods-enabled/unix
>> including configuration file /usr/local/etc/raddb/mods-enabled/expr
>> including configuration file /usr/local/etc/raddb/mods-enabled/totp
>> including configuration file /usr/local/etc/raddb/mods-enabled/always
>> including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
>> including configuration file /usr/local/etc/raddb/mods-enabled/ldap1
>> including configuration file /usr/local/etc/raddb/mods-enabled/logintime
>> including configuration file /usr/local/etc/raddb/mods-enabled/files
>> including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
>> including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
>> including configuration file /usr/local/etc/raddb/mods-enabled/digest
>> including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
>> including configuration file /usr/local/etc/raddb/mods-enabled/replicate
>> including configuration file /usr/local/etc/raddb/mods-enabled/unpack
>> including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
>> including configuration file /usr/local/etc/raddb/mods-enabled/soh
>> including configuration file /usr/local/etc/raddb/mods-enabled/detail
>> including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
>> including configuration file /usr/local/etc/raddb/mods-enabled/linelog
>> including configuration file /usr/local/etc/raddb/mods-enabled/expiration
>> including configuration file /usr/local/etc/raddb/mods-enabled/eap
>> including configuration file /usr/local/etc/raddb/mods-enabled/pap
>> including configuration file /usr/local/etc/raddb/mods-enabled/passwd
>> including configuration file /usr/local/etc/raddb/mods-enabled/echo
>> including configuration file /usr/local/etc/raddb/mods-enabled/mschap
>> including files in directory /usr/local/etc/raddb/policy.d/
>> including configuration file /usr/local/etc/raddb/policy.d/accounting
>> including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
>> including configuration file /usr/local/etc/raddb/policy.d/rfc7542
>> including configuration file /usr/local/etc/raddb/policy.d/cui
>> including configuration file /usr/local/etc/raddb/policy.d/filter
>> including configuration file /usr/local/etc/raddb/policy.d/canonicalization
>> including configuration file /usr/local/etc/raddb/policy.d/dhcp
>> including configuration file /usr/local/etc/raddb/policy.d/operator-name
>> including configuration file /usr/local/etc/raddb/policy.d/debug
>> including configuration file /usr/local/etc/raddb/policy.d/eap
>> including configuration file /usr/local/etc/raddb/policy.d/control
>> including configuration file
>> /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
>> including files in directory /usr/local/etc/raddb/sites-enabled/
>> including configuration file /usr/local/etc/raddb/sites-enabled/default
>> including configuration file
>> /usr/local/etc/raddb/sites-enabled/inner-tunnel
>> main {
>> security {
>> allow_core_dumps = no
>> }
>> name = "radiusd"
>> prefix = "/usr/local"
>> localstatedir = "/usr/local/var"
>> logdir = "/usr/local/var/log/radius"
>> run_dir = "/usr/local/var/run/radiusd"
>> }
>> main {
>> name = "radiusd"
>> prefix = "/usr/local"
>> localstatedir = "/usr/local/var"
>> sbindir = "/usr/local/sbin"
>> logdir = "/usr/local/var/log/radius"
>> run_dir = "/usr/local/var/run/radiusd"
>> libdir = "/usr/local/lib"
>> radacctdir = "/usr/local/var/log/radius/radacct"
>> hostname_lookups = no
>> max_request_time = 30
>> cleanup_delay = 5
>> max_requests = 16384
>> postauth_client_lost = no
>> pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
>> checkrad = "/usr/local/sbin/checkrad"
>> debug_level = 0
>> proxy_requests = yes
>> log {
>> stripped_names = no
>> auth = no
>> auth_badpass = no
>> auth_goodpass = no
>> colourise = yes
>> msg_denied = "You are already logged in - access denied"
>> }
>> resources {
>> }
>> security {
>> max_attributes = 200
>> reject_delay = 1.000000
>> status_server = yes
>> allow_vulnerable_openssl = "no"
>> }
>> }
>> radiusd: #### Loading Realms and Home Servers ####
>> proxy server {
>> retry_delay = 5
>> retry_count = 3
>> default_fallback = no
>> dead_time = 120
>> wake_all_if_all_dead = no
>> }
>> home_server localhost {
>> nonblock = no
>> ipaddr = 127.0.0.1
>> port = 1812
>> type = "auth"
>> secret = <<< secret >>>
>> response_window = 20.000000
>> response_timeouts = 1
>> max_outstanding = 65536
>> zombie_period = 40
>> status_check = "status-server"
>> ping_interval = 30
>> check_interval = 30
>> check_timeout = 4
>> num_answers_to_alive = 3
>> revive_interval = 120
>> limit {
>> max_connections = 16
>> max_requests = 0
>> lifetime = 0
>> idle_timeout = 0
>> }
>> coa {
>> irt = 2
>> mrt = 16
>> mrc = 5
>> mrd = 30
>> }
>> recv_coa {
>> }
>> }
>> home_server_pool my_auth_failover {
>> type = fail-over
>> home_server = localhost
>> }
>> realm example.com {
>> auth_pool = my_auth_failover
>> }
>> realm LOCAL {
>> }
>> radiusd: #### Loading Clients ####
>> client localhost {
>> ipaddr = 127.0.0.1
>> require_message_authenticator = no
>> secret = <<< secret >>>
>> nas_type = "other"
>> proto = "*"
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> client localhost_ipv6 {
>> ipv6addr = ::1
>> require_message_authenticator = no
>> secret = <<< secret >>>
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> client naeps245 {
>> ipaddr = 192.168.1.245
>> require_message_authenticator = no
>> secret = <<< secret >>>
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>> Debugger not attached
>> # Creating Auth-Type = mschap
>> # Creating Auth-Type = digest
>> # Creating Auth-Type = eap
>> # Creating Auth-Type = PAP
>> # Creating Auth-Type = CHAP
>> # Creating Auth-Type = MS-CHAP
>> # Creating Autz-Type = New-TLS-Connection
>> # Creating Post-Auth-Type = Client-Lost
>> radiusd: #### Instantiating modules ####
>> modules {
>> # Loaded module rlm_dynamic_clients
>> # Loading module "dynamic_clients" from file
>> /usr/local/etc/raddb/mods-enabled/dynamic_clients
>> # Loaded module rlm_realm
>> # Loading module "IPASS" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm IPASS {
>> format = "prefix"
>> delimiter = "/"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "suffix" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm suffix {
>> format = "suffix"
>> delimiter = "@"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "bangpath" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm bangpath {
>> format = "prefix"
>> delimiter = "!"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "realmpercent" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm realmpercent {
>> format = "suffix"
>> delimiter = "%"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loading module "ntdomain" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> realm ntdomain {
>> format = "prefix"
>> delimiter = "\\"
>> ignore_default = no
>> ignore_null = no
>> }
>> # Loaded module rlm_chap
>> # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
>> # Loaded module rlm_utf8
>> # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
>> # Loaded module rlm_date
>> # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
>> date {
>> format = "%b %e %Y %H:%M:%S %Z"
>> utc = no
>> }
>> # Loading module "wispr2date" from file
>> /usr/local/etc/raddb/mods-enabled/date
>> date wispr2date {
>> format = "%Y-%m-%dT%H:%M:%S"
>> utc = no
>> }
>> # Loaded module rlm_exec
>> # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
>> exec {
>> wait = no
>> input_pairs = "request"
>> shell_escape = yes
>> timeout = 10
>> }
>> # Loaded module rlm_unix
>> # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
>> unix {
>> radwtmp = "/usr/local/var/log/radius/radwtmp"
>> }
>> Creating attribute Unix-Group
>> # Loaded module rlm_expr
>> # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
>> expr {
>> safe_characters =
>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
>> /aeouaaaceeeeiio?uuuayAEOUsAAACEEEEIIO?UUU?"
>> }
>> # Loaded module rlm_always
>> # Loading module "reject" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always reject {
>> rcode = "reject"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "fail" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always fail {
>> rcode = "fail"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
>> always ok {
>> rcode = "ok"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "handled" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always handled {
>> rcode = "handled"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "invalid" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always invalid {
>> rcode = "invalid"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "userlock" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always userlock {
>> rcode = "userlock"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "notfound" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always notfound {
>> rcode = "notfound"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "noop" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always noop {
>> rcode = "noop"
>> simulcount = 0
>> mpp = no
>> }
>> # Loading module "updated" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> always updated {
>> rcode = "updated"
>> simulcount = 0
>> mpp = no
>> }
>> # Loaded module rlm_preprocess
>> # Loading module "preprocess" from file
>> /usr/local/etc/raddb/mods-enabled/preprocess
>> preprocess {
>> huntgroups =
>> "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
>> hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
>> with_ascend_hack = no
>> ascend_channels_per_line = 23
>> with_ntdomain_hack = no
>> with_specialix_jetstream_hack = no
>> with_cisco_vsa_hack = no
>> with_alvarion_vsa_hack = no
>> }
>> # Loaded module rlm_ldap
>> # Loading module "ldap" from file
>> /usr/local/etc/raddb/mods-enabled/ldap1
>> ldap {
>> server = "192.168.1.6"
>> identity =
>> "cn=tkt10886-5,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp"
>> password = <<< secret >>>
>> sasl {
>> }
>> user_dn = "LDAP-UserDn"
>> user {
>> scope = "sub"
>> access_positive = yes
>> sasl {
>> }
>> }
>> group {
>> scope = "sub"
>> name_attribute = "cn"
>> cacheable_name = no
>> cacheable_dn = no
>> allow_dangling_group_ref = no
>> }
>> client {
>> scope = "sub"
>> base_dn = ""
>> }
>> profile {
>> }
>> options {
>> ldap_debug = 0
>> net_timeout = 10
>> res_timeout = 20
>> srv_timelimit = 20
>> idle = 60
>> probes = 3
>> interval = 30
>> }
>> tls {
>> check_crl = no
>> start_tls = no
>> }
>> }
>> Creating attribute LDAP-Group
>> # Loaded module rlm_logintime
>> # Loading module "logintime" from file
>> /usr/local/etc/raddb/mods-enabled/logintime
>> logintime {
>> minimum_timeout = 60
>> }
>> # Loaded module rlm_files
>> # Loading module "files" from file
>> /usr/local/etc/raddb/mods-enabled/files
>> files {
>> filename = "/usr/local/etc/raddb/mods-config/files/authorize"
>> acctusersfile =
>> "/usr/local/etc/raddb/mods-config/files/accounting"
>> preproxy_usersfile =
>> "/usr/local/etc/raddb/mods-config/files/pre-proxy"
>> }
>> # Loaded module rlm_radutmp
>> # Loading module "radutmp" from file
>> /usr/local/etc/raddb/mods-enabled/radutmp
>> radutmp {
>> filename = "/usr/local/var/log/radius/radutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> permissions = 384
>> caller_id = yes
>> }
>> # Loading module "ntlm_auth" from file
>> /usr/local/etc/raddb/mods-enabled/ntlm_auth
>> exec ntlm_auth {
>> wait = yes
>> program = "/path/to/ntlm_auth --request-nt-key
>> --domain=MYDOMAIN --username=%{mschap:User-Name}
>> --password=%{User-Password}"
>> shell_escape = yes
>> }
>> # Loaded module rlm_digest
>> # Loading module "digest" from file
>> /usr/local/etc/raddb/mods-enabled/digest
>> # Loading module "sradutmp" from file
>> /usr/local/etc/raddb/mods-enabled/sradutmp
>> radutmp sradutmp {
>> filename = "/usr/local/var/log/radius/sradutmp"
>> username = "%{User-Name}"
>> case_sensitive = yes
>> check_with_nas = yes
>> permissions = 420
>> caller_id = no
>> }
>> # Loaded module rlm_replicate
>> # Loading module "replicate" from file
>> /usr/local/etc/raddb/mods-enabled/replicate
>> # Loaded module rlm_unpack
>> # Loading module "unpack" from file
>> /usr/local/etc/raddb/mods-enabled/unpack
>> # Loaded module rlm_detail
>> # Loading module "auth_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail auth_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-deta
>> l-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loading module "reply_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail reply_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-det
>> il-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loading module "pre_proxy_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail pre_proxy_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy
>> detail-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loading module "post_proxy_log" from file
>> /usr/local/etc/raddb/mods-enabled/detail.log
>> detail post_proxy_log {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-prox
>> -detail-%Y%m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loaded module rlm_soh
>> # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
>> soh {
>> dhcp = yes
>> }
>> # Loading module "detail" from file
>> /usr/local/etc/raddb/mods-enabled/detail
>> detail {
>> filename =
>> "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y
>> m%d"
>> header = "%t"
>> permissions = 384
>> locking = no
>> escape_filenames = no
>> log_packet_header = no
>> }
>> # Loaded module rlm_attr_filter
>> # Loading module "attr_filter.post-proxy" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.post-proxy {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
>> key = "%{Realm}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.pre-proxy" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.pre-proxy {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
>> key = "%{Realm}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.access_reject" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.access_reject {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.access_challenge" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.access_challenge {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.accounting_response" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.accounting_response {
>> filename =
>> "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loading module "attr_filter.coa" from file
>> /usr/local/etc/raddb/mods-enabled/attr_filter
>> attr_filter attr_filter.coa {
>> filename = "/usr/local/etc/raddb/mods-config/attr_filter/coa"
>> key = "%{User-Name}"
>> relaxed = no
>> }
>> # Loaded module rlm_linelog
>> # Loading module "linelog" from file
>> /usr/local/etc/raddb/mods-enabled/linelog
>> linelog {
>> filename = "/usr/local/var/log/radius/linelog"
>> escape_filenames = no
>> syslog_severity = "info"
>> permissions = 384
>> format = "This is a log message for %{User-Name}"
>> reference = "messages.%{%{reply:Packet-Type}:-default}"
>> }
>> # Loading module "log_accounting" from file
>> /usr/local/etc/raddb/mods-enabled/linelog
>> linelog log_accounting {
>> filename = "/usr/local/var/log/radius/linelog-accounting"
>> escape_filenames = no
>> syslog_severity = "info"
>> permissions = 384
>> format = ""
>> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
>> }
>> # Loaded module rlm_expiration
>> # Loading module "expiration" from file
>> /usr/local/etc/raddb/mods-enabled/expiration
>> # Loaded module rlm_eap
>> # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
>> eap {
>> default_eap_type = "md5"
>> timer_expire = 60
>> max_eap_type = 52
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> max_sessions = 16384
>> }
>> # Loaded module rlm_pap
>> # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
>> pap {
>> normalise = yes
>> }
>> # Loaded module rlm_passwd
>> # Loading module "etc_passwd" from file
>> /usr/local/etc/raddb/mods-enabled/passwd
>> passwd etc_passwd {
>> filename = "/etc/passwd"
>> format = "*User-Name:Crypt-Password:"
>> delimiter = ":"
>> ignore_nislike = no
>> ignore_empty = yes
>> allow_multiple_keys = no
>> hash_size = 100
>> }
>> # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
>> exec echo {
>> wait = yes
>> program = "/bin/echo %{User-Name}"
>> input_pairs = "request"
>> output_pairs = "reply"
>> shell_escape = yes
>> }
>> # Loaded module rlm_mschap
>> # Loading module "mschap" from file
>> /usr/local/etc/raddb/mods-enabled/mschap
>> mschap {
>> use_mppe = yes
>> require_encryption = no
>> require_strong = no
>> with_ntdomain_hack = yes
>> passchange {
>> }
>> allow_retry = yes
>> winbind_retry_with_normalised_username = no
>> }
>> instantiate {
>> }
>> # Instantiating module "IPASS" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "suffix" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "bangpath" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "realmpercent" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "ntdomain" from file
>> /usr/local/etc/raddb/mods-enabled/realm
>> # Instantiating module "reject" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "fail" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "ok" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "handled" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "invalid" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "userlock" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "notfound" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "noop" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "updated" from file
>> /usr/local/etc/raddb/mods-enabled/always
>> # Instantiating module "preprocess" from file
>> /usr/local/etc/raddb/mods-enabled/preprocess
>> reading pairlist file
>> /usr/local/etc/raddb/mods-config/preprocess/huntgroups
>> reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
>> # Instantiating module "ldap" from file
>> /usr/local/etc/raddb/mods-enabled/ldap1
>> rlm_ldap: libldap vendor: OpenLDAP, version: 20457
>> rlm_ldap (ldap): Couldn't find configuration for accounting, will return
>> NOOP for calls from this section
>> rlm_ldap (ldap): Couldn't find configuration for post-auth, will return
>> NOOP for calls from this section
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> !! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
>> !! There may be random issues with TLS connections due to this conflict.
>> !! The server may also crash.
>> !! See https://wiki.freeradius.org/modules/Rlm_ldap for more information.
>> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> rlm_ldap (ldap): Initialising connection pool
>> pool {
>> start = 5
>> min = 3
>> max = 32
>> spare = 10
>> uses = 0
>> lifetime = 0
>> cleanup_interval = 30
>> idle_timeout = 60
>> retry_delay = 30
>> max_retries = 5
>> spread = no
>> }
>> rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
>> slots used
>> rlm_ldap (ldap): Connecting to ldap://192.168.1.6:389
>> rlm_ldap (ldap): Waiting for bind result...
>> rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
>> rlm_ldap (ldap): Server said: 80090308: LdapErr: DSID-0C090569, comment:
>> AcceptSecurityContext error, data 52e, v4f7c.
>> rlm_ldap (ldap): Opening connection failed (0)
>> rlm_ldap (ldap): Removing connection pool
>> /usr/local/etc/raddb/mods-enabled/ldap1[1]: Instantiation failed for
>> module "ldap"
>> ===
>>
>> Checking the packet at this time with wireshark, we can confirm that
>> `pass\"word at 2022` is used as the password.
>>
>> ===
>> Lightweight Directory Access Protocol
>> LDAPMessage bindRequest(1)
>> "cn=tkt10886-5,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp" simple
>> messageID: 1
>> protocolOp: bindRequest (0)
>> bindRequest
>> version: 3
>> name:
>> cn=tkt10886-5,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp
>> authentication: simple (0)
>> simple: pass\\"word at 2022
>> [Response In: 8]
>> ===
>>
>> What should I do in this case?
>>
>> On 2023/09/11 18:10, Alan DeKok wrote:
>>> On Sep 10, 2023, at 9:16 PM, 平林 哲
>>> <Satoshi.Hirabayashi at soliton.co.jp> wrote:
>>
>> ===
>> # cat /usr/local/etc/raddb/mods-enabled/ldap1
>> ldap {
>> server = '192.168.1.6'
>> identity =
>> 'cn=tkt10886-3,cn=users,dc=srv2022,dc=rdd-osaka,dc=soliton,dc=example,dc=jp'
>> password = "pass\\"word at 2022"
>>> Two backslashes.
>>
>> However, it behaves differently in the shell.
>>
>> ===
>> $ echo "pass\\\"word at 2022"
>>> Three backslashes.
>>
>> pass\"word at 2022
>> ===
>>> Use three backslashes with FreeRADIUS, and it will work.
>>
>> Maybe the two backslashes need to be escaped into one backslash?
>>> I explained the rules for double-quoted strings. They're the same
>>> for all double quoted strings in FreeRADIUS, and in the shell.
>>>
>>> If you want a " in the middle of a double quoted string, you have
>>> to escape it: \"
>>>
>>> If you want a \ in the middle of a double quoted string, you have
>>> to escape it: \\
>>>
>>> Which means that if you want *both* a " and a \ in a double quoted
>>> string, you need to have an *odd* number of backslashes.
>>>
>>> All you need to do is count the number of backslashes. Even *and*
>>> there's a quote in the middle of the string? Parse error. Odd number
>>> of backslashes? It's fine.
>>>
>>> Alan DeKok.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list