Hey, Thanks for the help...

Still having difficulty, although I think you are
right on target.

LDAP appear to respond correctly then Radius states
that the User-Password attribute is missing.  Isn't
this what I set with the ldap.attrmap and
dictionary_mapping in the radiusd.conf?

Here are snippets from configs and the radiusd -X
output for the failed eap request...
Please let me know if more is needed.

Thanks,
Matt



********ldap.attrmap:

checkItem       User-Password                   userPassword


********radiusd.conf:

modules {
        eap {
                default_eap_type = md5
                timer_expire     = 60
                md5 {
                }
        mschap {
                authtype = MS-CHAP
        }
        ldap {
                server = "localhost"
                identity = "cn=Manager,dc=yoyo,dc=com"
                password = secret
                basedn = "dc=yoyo,dc=com"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
}

authorize {
        preprocess
        eap
        files
        mschap
        ldap
}

authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        Auth-Type LDAP {
                ldap
        }
        eap
}



*********Users File:

testuser  Auth-Type := EAP, User-Password ==
"testpass"
raduser   Auth-Type := Local, User-Password ==
"testpass"
        

DEFAULT Auth-Type := LDAP
        Fall-Through = 1




*********radiusd -X output to failed eap request for
ldap user

rad_recv: Access-Request packet from host
143.116.5.238:2048, id=98, length=117
        NAS-IP-Address = 192.168.1.238
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator =
0xf884d8f729a9e770bd73e8e33f6e22e7
        NAS-Port = 20
        Framed-MTU = 1490
        User-Name = "matt_moore"
        Calling-Station-Id = "00-B0-D0-74-C3-5A"
        EAP-Message = 0x0201000f016d6174745f6d6f6f7265
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  rlm_eap: EAP packet type notification id 1 length 15
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated
    users: Matched DEFAULT at 154
  modcall[authorize]: module "files" returns ok
  modcall[authorize]: module "mschap" returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for matt_moore
radius_xlat:  '(uid=matt_moore)'
radius_xlat:  'dc=yoyo,dc=com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=yoyo,dc=com, with
filter (uid=matt_moore)
rlm_ldap: Added password test123 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value
test123 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user matt_moore authorized to use remote
access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for
authentication.
  modcall[authenticate]: module "ldap" returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.
Login incorrect: [matt_moore/<no User-Password
attribute>] (from client plant1 port 20 cli
00-B0-D0-74-C3-5A)
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host
192.168.1.238:2048, id=98, length=117
Sending Access-Reject of id 98 to 192.168.1.238:2048
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 98 with timestamp 41f56ee2
Nothing to do.  Sleeping until we see a request.


--- NextGen$'s ShaDow <[EMAIL PROTECTED]> wrote:

> I solved this problem using an other attribute :
> in  /etc/freeradius/ldap.attrmap :
> 
> checkItem       User-Password                  
> radiusTunnelPassword
> 
> and set up passwords in it ;-)
> 
> I think it's only an access right problem on the
> LDAP 'userPassword' 
> attribute...
> 
> If that don't solve your problem, please send a copy
> of your config. 
> files and give more informations : It'll be easier
> to help.
> 
> Regards
> 
> Matt Moore a écrit :
> 
> >Hello all,
> >
> >I am trying to setup a radius service for eap with
> an
> >ldap backend.  I have gotten the ldap backend
> working
> >and I have gotten eap to work with a user defined
> in
> >the users file.  Next 2 lines from my users file.
> >
> >testuser  Auth-Type := EAP, User-Password ==
> >"testpass" 
> >DEFAULT Auth-Type := LDAP
> >
> >But, how do I get EAP to work with ldap backend in
> >this situation?  Or am I missing something more
> >fundamental?  I have looked through the archives,
> but
> >turned up only help on ldap or eap, not combining
> the
> >two...  any pointers?
> >
> >Thanks,
> >Matt Moore
> >
> >
> >
> >             
> >__________________________________ 
> >Do you Yahoo!? 
> >The all-new My Yahoo! - Get yours free! 
> >http://my.yahoo.com 
> > 
> >
> >
> >- 
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >  
> >
> 
> -- 
> NextGen$. 
> ---> In a world without fences nor walls - who needs
> windows and gates ? 
> 
> On peut obéïr aux lois en souhaitant qu'elles
> changent, comme on sert à la guerre en souhaitant la
> paix. 
> Merleau Ponty "L'éloge de la philosophie"
> 
> 

> ATTACHMENT part 2 application/pgp-signature
name=signature.asc




        
                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to