Phil Mayers wrote:
Christophe Gravier wrote:
My password are not stored in LDAP in clear text but hashed using SHA
algorythm, so this won't work ;-(
Ok, let's take a breath. First things first:
If your passwords are in SHA (which they are) your Radius server will
ONLY be able to answer PAP requests.
The very first log you sent in this thread indicates you have
ChilliSpot set to use CHAP:
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
Cannot use "CHAP-Password".
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
'''"Cannot use "CHAP-Password"''' - indicates the request (from
ChilliSpot) came in with CHAP credentials.
First, fix that. See here:
http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html
Next, since you have SHA passwords and can only answer PAP, you have
two choices:
1. Extract the SHA password and add it to the config items, then
configure the Radius servers PAP module to check it:
modules {
pap {
encryption_scheme = sha1
}
ldap {
# settings go here
}
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type PAP {
pap
}
}
HOWEVER - this may not work. The "SHA" that your LDAP server uses may
be slightly different (salting, keying) than the SHA FreeRadius uses.
Much more likely to trip you up though, is when "ldap" matches in
authorize, it will set Auth-Type = LDAP, so you either need to disable
that or otherwise "make it work" and there are about 6 different ways
of doing that. The most obvious would be to replace the above with:
modules { as before }
authorize { as before }
authenticate {
Auth-Type LDAP {
pap
}
}
I want to make "set Auth-Type = LDAP" working by making this Auth-Type
use the pap configuration. (correct me If I'm wrong).
I followed what you advises:
- configure chilli uamsecret and uampassword)
- put pap configuration in module section
- check ldap configration in module
- put ldap in authorize
- put Auth-Type LDAP { pap } in authentificate.
Now things got through pap indeed, but I'm told:
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
I think I totally misunderstand your sentence: "Extract the SHA password
and add it to the config items". I thought it means to add the mapping
"checkItem User-Password userPassword" in ldap.attrmap (where
userPassword is my attribute for SHA password). As it didn't work I used
the "password_attribute" conf entry in ldap configuration (module
section), but as I expected it has the same consequence.
Could you please, be more precise about the extraction of SHA password ?
Is there an additional conf entry for pap in module section ?
Here is the complete trace:
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter
(uid=gravier.christophe)
rlm_ldap: checking if remote access for gravier.christophe is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "gravier.christophe", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by "gravier.christophe" with password < here the
trace prints my password in plain text, normal ? >
rlm_pap: No password (or empty password) to check against for for user
gravier.christophe
modcall[authenticate]: module "pap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
But it might not work. Alternatively and probably simpler (but less
formally correct) is the 2nd method:
2. Configure the LDAP module to find the user, set Auth-Type==LDAP
then authenticate the user via simple bind:
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
...and assuming the "ldap" modules is setup correctly, what will
happen is:
A. authorize called
1. preprocess called
2. suffix realm called - no-op probably
3. files called - no-op probably but DO NOT SET Auth-Type
4. ldap called - search succeeds, and "Ldap-UserDN" is set, and
"Auth-Type" set to "LDAP"
B. authenticate called
1. Auth-Type == LDAP, so "ldap" called and simple bind performed
And it WILL WORK.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
