Christophe Gravier wrote:

Phil Mayers wrote:

Christophe Gravier wrote:


My password are not stored in LDAP in clear text but hashed using SHA algorythm, so this won't work ;-(




Ok, let's take a breath. First things first:

If your passwords are in SHA (which they are) your Radius server will ONLY be able to answer PAP requests.

The very first log you sent in this thread indicates you have ChilliSpot set to use CHAP:


rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
 modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.

'''"Cannot use "CHAP-Password"''' - indicates the request (from ChilliSpot) came in with CHAP credentials.

First, fix that. See here:

http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html



Next, since you have SHA passwords and can only answer PAP, you have two choices:

1. Extract the SHA password and add it to the config items, then configure the Radius servers PAP module to check it:

modules {
  pap {
    encryption_scheme = sha1
  }
  ldap {
    # settings go here
  }
}

authorize {
  preprocess
  ldap
}
authenticate {
  Auth-Type PAP {
    pap
  }
}

HOWEVER - this may not work. The "SHA" that your LDAP server uses may be slightly different (salting, keying) than the SHA FreeRadius uses.

Much more likely to trip you up though, is when "ldap" matches in authorize, it will set Auth-Type = LDAP, so you either need to disable that or otherwise "make it work" and there are about 6 different ways of doing that. The most obvious would be to replace the above with:

modules { as before }
authorize { as before }
authenticate {
  Auth-Type LDAP {
    pap
  }
}


I want to make "set Auth-Type = LDAP" working by making this Auth-Type use the pap configuration. (correct me If I'm wrong).

I followed what you advises:
- configure chilli uamsecret and uampassword)
- put pap configuration in module section
- check ldap configration in module
- put ldap in authorize
- put Auth-Type LDAP {  pap  } in authentificate.

Now things got through pap indeed, but I'm told:
rlm_pap: No password (or empty password) to check against for for user gravier.christophe

I think I totally misunderstand your sentence: "Extract the SHA password and add it to the config items". I thought it means to add the mapping "checkItem User-Password userPassword" in ldap.attrmap (where userPassword is my attribute for SHA password). As it didn't work I used the "password_attribute" conf entry in ldap configuration (module section), but as I expected it has the same consequence.

Could you please, be more precise about the extraction of SHA password ? Is there an additional conf entry for pap in module section ?

Here is the complete trace:

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: checking if remote access for gravier.christophe is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "gravier.christophe", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 0
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module "eap" returns noop for request 0
   users: Matched entry DEFAULT at line 158
 modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by "gravier.christophe" with password < here the trace prints my password in plain text, normal ? > rlm_pap: No password (or empty password) to check against for for user gravier.christophe
 modcall[authenticate]: module "pap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0


But it might not work. Alternatively and probably simpler (but less formally correct) is the 2nd method:

2. Configure the LDAP module to find the user, set Auth-Type==LDAP then authenticate the user via simple bind:

authorize {
  preprocess
  ldap
}
authenticate {
  Auth-Type LDAP {
    ldap
  }
}

...and assuming the "ldap" modules is setup correctly, what will happen is:

A. authorize called
 1. preprocess called
 2. suffix realm called - no-op probably
 3. files called - no-op probably but DO NOT SET Auth-Type
4. ldap called - search succeeds, and "Ldap-UserDN" is set, and "Auth-Type" set to "LDAP"

B. authenticate called
 1. Auth-Type == LDAP, so "ldap" called and simple bind performed


oOps I miss the last part of the previous mail:

BTW, The second method *DOES* work ;-)
Thank you Phil, my captive portal is now working using LDAP at last :-)
(My question about method 1 is about understanding)

And it WILL WORK.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to