Dear Daniel Holtkamp,
DH> rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items
sambaNTPassword must be added as NT-Password, not as Password.
--Monday, April 26, 2004, 2:05:38 PM, you wrote to [EMAIL PROTECTED]:
DH> Hi !
DH> After searching the Web and this list and reading a LOT of
DH> radius-documentary i still can?t figure out how to get this to work ...
DH> Following Setup:
DH> Samba 3.0 Domain
DH> LDAP-Directory for centralized administration
DH> Freeradius-Server
DH> Windows 2003 Server for RAS
DH> The Samba accounts and everything is stored within the LDAP-Directory.
DH> Now we want to remove our old NT4 Server who is providing RAS-Services
DH> until now so we decided to use Windows 2003 (Don?t ask, the RAS thing is
DH> just a nice side-feature we want to use). The Windows 2003 RAS-Service
DH> allows authentication with RADIUS. So i set up a freeradius-server and
DH> configured the W2K3 to use it. For testing purpose i entered my username
DH> and cleartext-password to the users-file and i can login fine. But i
DH> don?t want to use the users-file (Who would, with a nice LDAP Directory
DH> at hand ;) )
DH> So i configured LDAP into this whole thingy ... i got TLS and everything
DH> to work, ldap-access itself seems to be running nicely.
DH> My Problem:
DH> The userPassword stored in the LDAP Directory is crypted (MD5) for
DH> security purpose. So this one can?t be used i guess.
DH> BUT: We got a nice sambaLMPassword and a sambaNTPassword for every user
DH> which imho should be enough for radius, right ?
DH> I tried this:
DH> This is how i configured the LDAP-Module:
DH> --------------------------- SNIP ----------------------------
DH> ldap {
DH> server = "ldap.test.com"
DH> identity = "uid=ldaproot"
DH> password = blabla
DH> basedn = "dc=test,dc=com"
DH> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
DH> start_tls = yes
DH> dictionary_mapping = ${raddbdir}/ldap.attrmap
DH> ldap_connections_number = 5
DH> password_header = ""
DH> password_attribute = sambaNTPassword
DH> timeout = 4
DH> timelimit = 3
DH> net_timeout = 1
DH> }
DH> --------------------------- SNIP ----------------------------
DH> This fetches me the correct hash out of the directory
DH> The server gives me this output:
DH> --------------------------- SNIP ----------------------------
DH> rlm_ldap: performing search in dc=test,dc=com, with filter
DH> (uid=testuser)
DH> rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items
DH> rlm_ldap: looking for check items in directory...
DH> rlm_ldap: looking for reply items in directory...
DH> rlm_ldap: user holtkamp authorized to use remote access
DH> ldap_release_conn: Release Id: 0
DH> modcall[authorize]: module "ldap" returns ok for request 10
DH> modcall: group authorize returns ok for request 10
DH> rad_check_password: Found Auth-Type MS-CHAP
DH> auth: type "MS-CHAP"
DH> modcall: entering group Auth-Type for request 10
DH> rlm_mschap: doing MS-CHAPv2 with NT-Password
DH> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
DH> modcall[authenticate]: module "mschap" returns reject for request 10
DH> modcall: group Auth-Type returns reject for request 10
DH> auth: Failed to validate the user.
DH> Login incorrect: [testuser/<no User-Password attribute>] (from client
DH> w2k3-ras-server port 128 cli 192.168.0.55)
DH> --------------------------- SNIP ----------------------------
DH> Now WHY is the Respone incorrect ? Any ideas what i am missing here ?
DH> If you need more information just ask, i got everything here :)
DH> radiusd.conf
DH> --------------------------- SNIP ----------------------------
DH> authorize {
DH> preprocess
DH> mschap
DH> ldap
DH> }
DH> authenticate {
DH> Auth-Type MS-CHAP {
DH> mschap
DH> }
DH> }
DH> --------------------------- SNIP ----------------------------
--
~/ZARAZA
Существую лишь я сам, никуда не летя. (Лем)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
