Y'all: Maybe this question obvious for somebody, but I haven't been able to find an answer so far. I'd appreciate any help on this.
I'm setting up freeradius 2.17 with OpenLDAP on CentOS 5.3 (using the pre-built RPM repository from http://people.redhat.com/jdennis/freeradius-rhel-centos). The system need to authenticate at least two different ways by RADIUS (plus several others by LDAP, but that's all working fine). Currently one is working and the other is not. I've worked with freeradius/LDAP setups before, but it's been a couple years since I last did it from scratch. One client needs to talk MS-CHAP, and that's working great. If it matters I'm happy to post logs of these sessions happening, but I presume that's irrelevant. The other client needs to talk PAP, and it's not working right at all. In keeping with the frequent advice of this group, I've kept the config files as pristine as I can. Here are all the changes I've made since I last reverted to the default files: [/etc/raddb]# diff ./sites-available/default.DIST ./sites-available/default 170c170 < # ldap --- > ldap [/etc/raddb]# diff ./modules/ldap.DIST ./modules/ldap 33c33 < server = "ldap.your.domain" --- > server = ".org" 36c36 < basedn = "o=My Org,c=UA" --- > basedn = "dc=my,dc=office,dc=org" 116c116 < # password_attribute = userPassword --- > password_attribute = userPassword [/etc/raddb]# diff ./modules/pap.DIST ./modules/pap 17c17 < auto_header = no --- > auto_header = yes [/etc/raddb]# diff ./clients.conf.DIST ./clients.conf 101c101 < secret = testing123 --- > secret = SharedSecret 234a235,240 > > client 172.16.0.0/24 { > secret = SharedSecret > shortname = office-network > } > [/etc/raddb]# In fiddling over the past few days I've achieved several different failure modes, but here's what a session looks like now: rad_recv: Access-Request packet from host 172.16.0.1 port 1078, id=36, length=82 User-Name = "testuser" User-Password = "user" Service-Type = Authenticate-Only NAS-Identifier = "VPNSRV" Message-Authenticator = 0x8e--censored--db +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop [ldap] performing user authorization for testuser [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> testuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) [ldap] expand: dc=my,dc=office,dc=org -> dc=my,dc=office,dc=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to muggins.my.office.org:389, authentication 0 rlm_ldap: bind as / to muggins.my.office.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=my,dc=office,dc=org, with filter (uid=testuser) [ldap] Added User-Password = {SSHA}i9--censored--JI in check items [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x4338--censored--4531 rlm_ldap: sambaLmPassword -> LM-Password == 0x4637--censored--4545 [ldap] looking for reply items in directory... [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "user" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 36 to 172.16.0.1 port 1078 Waking up in 4.9 seconds. The part that seems strange to me is that the system clearly identifies the type of passwords we are using ("Normalizing SSHA1-Password from base64 encoding" seems proof enough of that), but a couple lines later PAP has decided to use CRYPT encryption for some reason. I can't imagine what I've done to make the system believe it should use CRYPT instead of SSHA. I've been developing a range of crazy theories as to what might be going on, but I think it's time for me to see what y'all have to say. Thanks in advance for any guidance. E. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html