Erik Denny <[EMAIL PROTECTED]> wrote:
> I can auth PAP requests all day long, however, I get the following error
> when a CHAP term server requests auth.
>
> Thu Sep 2 13:27:40 2004 : Auth: rlm_ldap: Attribute "User-Password" is
> required for authentication. Cannot use "CHAP-Password".
> Thu Sep 2 11:35:47 2004 : Auth: Login incorrect: [EMAIL PROTECTED]/<CHAP-Password>]
You are setting "Auth-Type := LDAP". You are setting "Auth-Type :=
LDAP", even for CHAP requests. That's the source of the problem.
This is why the server is configured by default to set "Auth-Type :=
CHAP" for CHAP requests: because no other module can do CHAP. The
LDAP module sets "Auth-Type = LDAP" only if it has not already been
set.
So if you're getting that error for Access-Requests containing CHAP,
it's because you've over-ridden the default configuration, and told
the server to NOT use the CHAP module for CHAP requests.
> This is the result of a test from a term server with an account that has a
> clear-text password.
You are confusing passwords in the LDAP database with passwords in
the Access-Request. Let's look at a little matrix:
authentication data in Access-Request
PAP CHAP
passwords
in LDAP clear Auth-Type := LDAP Auth-Type := CHAP
crypt Auth-Type := LDAP impossible
The fact that the "account has a clear-text password" is IRRELEVANT.
The Access-Request has a CHAP password, and LDAP doesn't do CHAP. End
of story. Don't force LDAP to handle CHAP requests.
> Now, as far as I can see in the configs and code, we have not removed
> anything that would break it, AND there is no "User-Password" defined in
> the bundled schema for LDAP v3 in the doc directory.
> (RADIUS-LDAPv3.schema) There appears to be NO conversion from "uid" to
> "User-Name" anywhere that I can see, so how can this work out of the box?
If the Access-Request contains a PAP password, then Auth-Type :=
LDAP will work.
> BTW- I don't see how you can test CHAP auth with anything other than a
> term server- radtest/radclient don't appear to support the option?
$ cat radtest | sed 's/User-Password/CHAP-Password/' > radchaptest
$ chmod +x radchaptest
And then use "radchaptest" to sent CHAP requests.
> > Honestly, if PAP works for a user, then MS-CHAP works, too. Trust
> > me in this.
The problem is that many people get confused between authorization
and authentication. LDAP is a *database*, not an authentication
server. Let LDAP store passwords, and let FreeRADIUS do
authentication.
The whole problem starts when you configure FreeRADIUS to use LDAP
for authenticating users. Don't do that. Use LDAP to store
clear-text passwords. LDAP doesn't do CHAP, MS-CHAP, EAP, or anything
other than PAP. So if there isn't a User-Password attribute in the
Access-Request, packet, then setting "Auth-Type := LDAP" will ALWAYS
FAIL.
i.e. Don't list "ldap" in "authenticate". Yes, you may discover
that some things break. This means you've probably got to set
"Auth-Type := Local", for PAP requests.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
