Dear Daniel Holtkamp, DH> rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items
sambaNTPassword must be added as NT-Password, not as Password. --Monday, April 26, 2004, 2:05:38 PM, you wrote to [EMAIL PROTECTED]: DH> Hi ! DH> After searching the Web and this list and reading a LOT of DH> radius-documentary i still can?t figure out how to get this to work ... DH> Following Setup: DH> Samba 3.0 Domain DH> LDAP-Directory for centralized administration DH> Freeradius-Server DH> Windows 2003 Server for RAS DH> The Samba accounts and everything is stored within the LDAP-Directory. DH> Now we want to remove our old NT4 Server who is providing RAS-Services DH> until now so we decided to use Windows 2003 (Don?t ask, the RAS thing is DH> just a nice side-feature we want to use). The Windows 2003 RAS-Service DH> allows authentication with RADIUS. So i set up a freeradius-server and DH> configured the W2K3 to use it. For testing purpose i entered my username DH> and cleartext-password to the users-file and i can login fine. But i DH> don?t want to use the users-file (Who would, with a nice LDAP Directory DH> at hand ;) ) DH> So i configured LDAP into this whole thingy ... i got TLS and everything DH> to work, ldap-access itself seems to be running nicely. DH> My Problem: DH> The userPassword stored in the LDAP Directory is crypted (MD5) for DH> security purpose. So this one can?t be used i guess. DH> BUT: We got a nice sambaLMPassword and a sambaNTPassword for every user DH> which imho should be enough for radius, right ? DH> I tried this: DH> This is how i configured the LDAP-Module: DH> --------------------------- SNIP ---------------------------- DH> ldap { DH> server = "ldap.test.com" DH> identity = "uid=ldaproot" DH> password = blabla DH> basedn = "dc=test,dc=com" DH> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" DH> start_tls = yes DH> dictionary_mapping = ${raddbdir}/ldap.attrmap DH> ldap_connections_number = 5 DH> password_header = "" DH> password_attribute = sambaNTPassword DH> timeout = 4 DH> timelimit = 3 DH> net_timeout = 1 DH> } DH> --------------------------- SNIP ---------------------------- DH> This fetches me the correct hash out of the directory DH> The server gives me this output: DH> --------------------------- SNIP ---------------------------- DH> rlm_ldap: performing search in dc=test,dc=com, with filter DH> (uid=testuser) DH> rlm_ldap: Added password AF70J6480BF89440F4A4591063EF3215 in check items DH> rlm_ldap: looking for check items in directory... DH> rlm_ldap: looking for reply items in directory... DH> rlm_ldap: user holtkamp authorized to use remote access DH> ldap_release_conn: Release Id: 0 DH> modcall[authorize]: module "ldap" returns ok for request 10 DH> modcall: group authorize returns ok for request 10 DH> rad_check_password: Found Auth-Type MS-CHAP DH> auth: type "MS-CHAP" DH> modcall: entering group Auth-Type for request 10 DH> rlm_mschap: doing MS-CHAPv2 with NT-Password DH> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect DH> modcall[authenticate]: module "mschap" returns reject for request 10 DH> modcall: group Auth-Type returns reject for request 10 DH> auth: Failed to validate the user. DH> Login incorrect: [testuser/<no User-Password attribute>] (from client DH> w2k3-ras-server port 128 cli 192.168.0.55) DH> --------------------------- SNIP ---------------------------- DH> Now WHY is the Respone incorrect ? Any ideas what i am missing here ? DH> If you need more information just ask, i got everything here :) DH> radiusd.conf DH> --------------------------- SNIP ---------------------------- DH> authorize { DH> preprocess DH> mschap DH> ldap DH> } DH> authenticate { DH> Auth-Type MS-CHAP { DH> mschap DH> } DH> } DH> --------------------------- SNIP ---------------------------- -- ~/ZARAZA Существую лишь я сам, никуда не летя. (Лем) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html