I figured out my realm problem with ldap. Filter has to be set to %N rather than %n I just went through and tried the alphabet. I must be looking in the wrong place for documentation. If someone knows where this is documented, I would appreciate a pointer.
Now, I truly only have chap to get working before getting Wcom's approval (I still have other things I want to do with LDAP like filter on group for emailonly and dialonly accounts, etc). Thanks for you help Michael -----Original Message----- From: Shawn O'Shea [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 4:17 PM To: Michael S. McCollough Cc: '[EMAIL PROTECTED]' Subject: RE: CHAP-Password & LDAP Auth? On Tue, 26 Mar 2002, Michael S. McCollough wrote: > Are you using LDAP? This did not work for me. I did get the realms > working though. Yes, but you _do not_ authenticate off of LDAP. You authorize off of LDAP (where the password needs to be stored in the clear). Essentially when LDAP is in the authorize{} section, this is the only action it takes. Then you authenticate{} with CHAP, which takes the CHAP-Password from the inbound packet, and constructs a CHAP-ized version of the cleartext from LDAP to compare it with. -Shawn > > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. > Cannot use "CHAP-Password". > modcall[authenticate]: module "ldap" returns invalid > modcall: group authenticate returns invalid > auth: Failed to validate the user. > Login incorrect (rlm_ldap: User not found): > [[EMAIL PROTECTED]/<CHAP-Password>] (from client MR-Firewall port > 0) > > > > -----Original Message----- > From: Shawn O'Shea [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 26, 2002 10:48 AM > To: '[EMAIL PROTECTED]' > Subject: RE: CHAP-Password & LDAP Auth? > > > > I got the better part of this working on Friday....here's most of the > pertinent parts: > > radiusd.conf: > > -add a blank section for chap options (something complained when I > didnt do > this) > > chap { > } > > -make sure that your ldap section is configured for your setup > > -make sure authorize{} has chap and ldap. Mine looks like: authorize { > preprocess > chap > ldap > suffix > files > } > > -make sure authenticate{} has chap. I have: > authenticate { > unix > chap > } > > I only have one type of user....I'm not sure how to setup realms > properly, so I'm being lame and matching the realm in their username > attribute and giving them some ascend vendor attributes: > users: > > DEFAULT Suffix == "@realm.mycompany.com" > Service-Type = Framed-User, > Framed-Protocol = PPP, > Ascend-Data-Filter = "IP IN FORWARD TCP", > Ascend-Data-Filter += "IP IN FORWARD 0 DSTIP AA.BB.CC.DD/EE", > Ascend-Data-Filter += "IP IN DROP TCP DSTPORT = 25", > Ascend-Data-Filter += "IP IN FORWARD 0", > Ascend-Assign-IP-Pool = 0 > > -Shawn > > On Mon, 25 Mar 2002, Michael S. McCollough wrote: > > > I am probably just dense but either the faq is incomplete or I > > cannot translate to suit my needs. I cannot even get chap to work > > with Auth-Type :=system I need it to work with ldap. Once key point > > may be CHAP vs MS-CHAP. The radiusd.conf file only has ms-chap in > > it. I remember log time ago when chap was proposed, ms did their own > > version. Since the MS version became the defacto standard, I am not > > sure is ms-chap and chap are used interchangably. > > > > From radiusd -X > > rlm_ldap: Attribute "Password" is required for authentication. > > Cannot use "CHAP-Password". > > > > I need CHAP to work with LDAP but would be happy to see it work with > > system auth just to know it works. > > > > -- > > Michael > > > > > > -----Original Message----- > > From: Kostas Kalevras [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 21, 2002 2:09 PM > > To: [EMAIL PROTECTED] > > Subject: Re: CHAP-Password & LDAP Auth? > > > > > > On Thu, 21 Mar 2002, Mike Cathey wrote: > > > > > Chris, > > > > > > > > > Chris Parker wrote: > > > > At 12:17 PM 3/21/2002 -0500, Mike Cathey wrote: > > > > > > > >> Chris, > > > >> > > > >> The qmail-ldap (<http://www.nrg4u.com>) code (actually IIRC > > > >> it's the auth code) supports 2 menthods of LDAP auth. One > > > >> method attempts to bind to the directory as the user, which is > > > >> what it sounds like FreeRADIUS does. The other methold is to > > > >> bind to the directory as a privileged user (one who has access > > > >> to all user attributes), crypt what the client handed you and > > > >> compare it to userPassword. > > > > > > > > > > > > The client hands you an already ( and non-reversable ) encrypted > > > > string. Encrypting it a second time will yield nothing useful. > > > > > > > >> I may be possible to implement the second method in FreeRADIUS > > > >> and use it for LDAP/CHAP auth. Comments? > > > > > > > > > > > > The only way to perform CHAP authentication is for the server to > > > > have access to the unecrypted password locally. > > > > > > Sorry, I wasn't suggesting you uss crypt with LDAP/CHAP. I was > > > just pointing out the method of binding as a privileged user (a > > > user who has rights to access the userPassword attribute for the > > > RADIUS users). You can then get the value of userPassword and send > > > the 'challenge' back to the proxy. I haven't read docs on CHAP in > > > a while, but it seems like this would work ok. Of course, this > > > assumes you store all of your users passwords in plain text. > > > > > > Cheers, > > > > > > Mike > > > > It's already supported. Please read the FAQ at > > http://www.freeradius.org/faq/#5.11 > > > > and doc/rlm_ldap > > > > -- > > Kostas Kalevras Network Operations Center > > [EMAIL PROTECTED] National Technical University of Athens, Greece > > Work Phone: +30 10 7721861 > > 'Go back to the shadow' Gandalf > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > Shawn K. O'Shea > Sr. Unix Administrator > DSL.net, Inc. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
