Hi !
After searching the Web and this list and reading a LOT of
radius-documentary i still canÂt figure out how to get this to work ...
Following Setup:
Samba 3.0 Domain
LDAP-Directory for centralized administration
Freeradius-Server
Windows 2003 Server for RAS
The Samba accounts and everything is stored within the LDAP-Directory.
Now we want to remove our old NT4 Server who is providing RAS-Services
until now so we decided to use Windows 2003 (DonÂt ask, the RAS thing is
just a nice side-feature we want to use). The Windows 2003 RAS-Service
allows authentication with RADIUS. So i set up a freeradius-server and
configured the W2K3 to use it. For testing purpose i entered my username
and cleartext-password to the users-file and i can login fine. But i
donÂt want to use the users-file (Who would, with a nice LDAP Directory
at hand ;) )
So i configured LDAP into this whole thingy ... i got TLS and everything
to work, ldap-access itself seems to be running nicely.
My Problem:
The userPassword stored in the LDAP Directory is crypted (MD5) for
security purpose. So this one canÂt be used i guess.
BUT: We got a nice sambaLMPassword and a sambaNTPassword for every user
which imho should be enough for radius, right ?
I tried this:
This is how i configured the LDAP-Module:
--------------------------- SNIP ----------------------------
ldap {
server = "ldap.test.com"
identity = "uid=ldaproot"
password = blabla
basedn = "dc=test,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = ""
password_attribute = sambaNTPassword
timeout = 4
timelimit = 3
net_timeout = 1
}
--------------------------- SNIP ----------------------------
This fetches me the correct hash out of the directory
The server gives me this output:
--------------------------- SNIP ----------------------------
rlm_ldap: performing search in dc=test,dc=com, with filter
(uid=testuser)
rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user holtkamp authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 10
modcall: group authorize returns ok for request 10
rad_check_password: Found Auth-Type MS-CHAP
auth: type "MS-CHAP"
modcall: entering group Auth-Type for request 10
rlm_mschap: doing MS-CHAPv2 with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 10
modcall: group Auth-Type returns reject for request 10
auth: Failed to validate the user.
Login incorrect: [testuser/<no User-Password attribute>] (from client
w2k3-ras-server port 128 cli 192.168.0.55)
--------------------------- SNIP ----------------------------
Now WHY is the Respone incorrect ? Any ideas what i am missing here ?
If you need more information just ask, i got everything here :)
radiusd.conf
--------------------------- SNIP ----------------------------
authorize {
preprocess
mschap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
--------------------------- SNIP ----------------------------
--
Daniel Holtkamp Riege Software International GmbH
System Administration Mollsfeld 10
40670 Meerbusch, Germany Phone: +49-2159-9148-41
mail: [EMAIL PROTECTED] Fax: +49-2159-9148-11
--------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
