Dear Thor and Ivan, Thanks for your support. I would like to notice that I have the same configuration in a server that has freeradius-1.1.7-1 installed and it is working fine. I want to upgrade. That is why I am testing freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1 and 2.1.6-2 configuration files that I should put it in my consideration?
Thor, I don't have the same output in the debug mode. I have what you can see below: ++[ldap] returns ok !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "password" [pap] Using clear text password "$...@hfgusllj%$#kasjs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Dear Ivan and Thor, As you can see the problem that I am sending a clear text password and the radius doesn't convert it to encrypted one. I want my radius to take a clear text password and encrypt it then compare it with the encrypted one in my ldap. Please let me know if I should clarify more or if you need more info. Thanks again for your support. Regards, On Thu, Sep 24, 2009 at 3:05 PM, Thor Spruyt <thor.spr...@telenet.be> wrote: > Hi, > > I tried to get this working also and I found that if you let the ldap > module *not* check the password_header, then the password incl. the header > is put in the User-Password attribute. > If you then use auto_header = yes for the pap module, it should figure out > automatically to do crypt... unless the uppercase CRYPT is causing issues... > > Here's some sample debug output to check your setup: > [ldap] Password header not found in password {crypt}XXXXXXXXXXX for user > test > [ldap] Added User-Password = {crypt}XXXXXXXXXXX in check items > [ldap] looking for check items in directory... > [ldap] looking for reply items in directory... > [ldap] user test authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > +++[ldap] returns ok > ++- group returns ok > ++[pap] returns updated > Found Auth-Type = PAP > +- entering group PAP {...} > [pap] login attempt with password "xxxx" > [pap] Using CRYPT encryption. > [pap] User authenticated successfully > ++[pap] returns ok > > > Regards, > Thor. > > > >----- Oorspronkelijk bericht ----- > >Van > : wessam seleem [mailto:wessam.sel...@gmail.com] > >Verzonden > : donderdag > , september > 24, 2009 02:16 PM > >Aan > : t...@kalik.net, 'FreeRadius users mailing list' > >Onderwerp > : Re: "known good" error > > > >Thanks Ivan for your reply. Here is the ldap configuration section: > > > >ldap { > >server = "x.x.x.x" > >identity = "cn=username" > >password = password > >basedn = "ou=email,o=data,c=eg" > >filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > >password_header = "{CRYPT}" > >ldap_connections_number = 100 > >timeout = 15 > >timelimit = 10 > >net_timeout = 5 > > > >tls { > >start_tls = no > >} > > > >profile_attribute = "radiusProfileDn" > > access_attr = "dialupAccess" > >dictionary_mapping = ${confdir}/ldap.attrmap > >password_attribute = radiususerPassword > >} > > > > > > > >and here is the debug message > > > > > >++[ldap] returns ok > >Found Auth-Type = PAP > > >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > >!!! Replacing User-Password in config items with Cleartext-Password. > >!!! > > >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > >!!! Please update your configuration so that the "known good" > >!!! > >!!! clear text password is in Cleartext-Password, and not in > User-Password. > >!!! > > >!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > >+- entering group PAP {...} > >[pap] login attempt with password "123456" > >[pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" > >[pap] Passwords don't match > >++[pap] returns reject > >Failed to authenticate the user. > >Using Post-Auth-Type Reject > >+- entering group REJECT {...} > >[attr_filter.access_reject] expand: %{User-Name} -> username > > attr_filter: Matched entry DEFAULT at line 11 > >++[attr_filter.access_reject] returns updated > >Delaying reject of request 0 for 1 seconds > >Going to the next request > >Waking up in 0.9 seconds. > >Sending delayed reject for request 0 > > > > > > > >Thanks for your support. > >Wessam > > > > > >On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <t...@kalik.net> wrote: > > > >> > I decided to install free radius 2.1.6-2 to test it and then to > >> upgrade > >> > my existing versions in my servers. I configured my free radius to use > >> > ldap. > >> > When I tried to authenticate from the new radius it gave me the > following > >> > message "from radius -X". > >> > > >> > Replacing User-Password in config items with Cleartext-Password. > !!! > >> > > >> > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > >> > !!! Please update your configuration so that the "known good" > >> > !!! > >> > !!! clear text password is in Cleartext-Password, and not in > >> > User-Password. > >> > !!! > >> > > >> > > >> > Note that when I wrote the password encrypted "like > >> > *%@&ks...@sdgsadgjhsb" > >> > I was able to login but when I wrote the password in clear text "like > >> > test" > >> > I failed to login. > >> > >> Password in ldap probably has a header. You can ignore the message then, > >> because server will convert User-Password to appropriate password > >> attribute on it's own (Crypt-Password for {crypt}, SHA-Password for > {sha} > >> etc.) if auto-header is enabled. Post the whole debug. > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html