As you can see, there is a try with PAP after LDAP. Is there something I have to modify, in your opinion?
Thanks, Max Wed Jul 20 13:35:25 2011 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Jul 20 13:35:25 2011 : Info: ++[ldap] returns ok Wed Jul 20 13:35:25 2011 : Info: ++[expiration] returns noop Wed Jul 20 13:35:25 2011 : Info: ++[logintime] returns noop Wed Jul 20 13:35:25 2011 : Info: ++[pap] returns updated Wed Jul 20 13:35:25 2011 : Info: Found Auth-Type = PAP Wed Jul 20 13:35:25 2011 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jul 20 13:35:25 2011 : Info: !!! Replacing User-Password in config items with Cleartext-Password. !!! Wed Jul 20 13:35:25 2011 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jul 20 13:35:25 2011 : Info: !!! Please update your configuration so that the "known good" !!! Wed Jul 20 13:35:25 2011 : Info: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Wed Jul 20 13:35:25 2011 : Info: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Wed Jul 20 13:35:25 2011 : Info: +- entering group PAP {...} Wed Jul 20 13:35:25 2011 : Info: [pap] login attempt with password "121212" Wed Jul 20 13:35:25 2011 : Info: [pap] Using clear text password "121212 " Wed Jul 20 13:35:25 2011 : Info: [pap] Passwords don't match Wed Jul 20 13:35:25 2011 : Info: ++[pap] returns reject Wed Jul 20 13:35:25 2011 : Info: Failed to authenticate the user. Wed Jul 20 13:35:25 2011 : Info: Using Post-Auth-Type Reject Wed Jul 20 13:35:25 2011 : Info: +- entering group REJECT {...} Wed Jul 20 13:35:25 2011 : Info: [attr_filter.access_reject] expand: %{User-Name} -> ldapuser Wed Jul 20 13:35:25 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Jul 20 13:35:25 2011 : Info: ++[attr_filter.access_reject] returns updated Wed Jul 20 13:35:25 2011 : Info: Delaying reject of request 0 for 1 seconds Wed Jul 20 13:35:25 2011 : Debug: Going to the next request Wed Jul 20 13:35:25 2011 : Debug: Waking up in 0.7 seconds. Wed Jul 20 13:35:26 2011 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 64 to 127.0.0.1 port 44404 Il 20/07/11 18.07, u...@3.am ha scritto: > > You're using LDAP with POSIX type users, including shadow passwords. I'm > pretty > sure this means you cannot use CHAP on the client end, but must use PAP. > Somebody > can correct me if I'm wrong about this. > > While they are at it, maybe they can let me know how to get FreeRADIUS to > respect > the shadow password aging attibutes. :-/ > >> Il 20/07/11 10.19, Fajar A. Nugraha-2 [via FreeRadius] ha scritto: >>> On Wed, Jul 20, 2011 at 3:07 PM, m4xmr <[hidden email] >>> </user/SendEmail.jtp?type=node&node=4615111&i=0>> wrote: >>>> Hello, >>>> I'm trying to make working LDAP as authentication backend for RADIUS. >>>> I verified that the data are right and the query to LDAP is properly >>> working >>>> if I use ldapsearch. >>> >>> does LDAP BIND work correctly using ldapsearch (i.e. ldapsearch -D) >> >> I tried: ldapsearch -x -b "dc=example,dc=com" "uid=ldapuser" >> and it works good: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=example,dc=com> with scope subtree >> # filter: uid=ldapuser >> # requesting: ALL >> # >> >> # ldapuser, People, example.com >> dn: uid=ldapuser,ou=People,dc=example,dc=com >> uid: ldapuser >> cn: ldapuser >> objectClass: account >> objectClass: posixAccount >> objectClass: top >> objectClass: shadowAccount >> userPassword:: MTIxMjEyIA== >> shadowLastChange: 15174 >> shadowMin: 0 >> shadowMax: 99999 >> shadowWarning: 7 >> loginShell: /bin/bash >> uidNumber: 500 >> gidNumber: 100 >> homeDirectory: /home/ldapuser >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >>> >>>> rad_recv: Access-Request packet from host 127.0.0.1:59221, id=78, >>> length=60 >>>> User-Name = "ldapuser" >>>> User-Password = "121212" >>> >>>> rlm_ldap: Setting Auth-Type = ldap >>> >>> Hmmm ... that's odd. I thought rlm_ldap was supposed to just grab >>> attributes (e.g. Cleartext-Password) and not set the Auth-Type? Are >>> you doing anything special like forcing Auth-Type := LDAP? >> >> I was following a tutorial, this one: >> >> http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS >>> >>>> rlm_ldap: user ldapuser authorized to use remote access >>> >>> this line says there's a user called ldapuser >>> >>>> rlm_ldap: - authenticate >>>> rlm_ldap: login attempt by "ldapuser" with password "121212" >>>> rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com >>>> rlm_ldap: (re)connect to localhost:389, authentication 1 >>>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/121212 to >>>> localhost:389 >>>> rlm_ldap: waiting for bind result ... >>>> rlm_ldap: Bind failed with invalid credentials >>> >>> ... while this one says the bind failed. Is the password correct? >> >> I configured that password..., it could be some problem of hasing..., maybe. >> >> Anyway I have upgraded to FreeRADIUS Version 2.1.7 >> this is the output of radiusd -X >> >> radiusd -X >> FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar >> 31 2010 at 00:25:31 >> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. >> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A >> PARTICULAR PURPOSE. >> You may redistribute copies of FreeRADIUS under the terms of the >> GNU General Public License v2. >> Starting - reading configuration files ... >> including configuration file /etc/raddb/radiusd.conf >> including configuration file /etc/raddb/proxy.conf >> including configuration file /etc/raddb/clients.conf >> including files in directory /etc/raddb/modules/ >> including configuration file /etc/raddb/modules/digest >> including configuration file /etc/raddb/modules/exec >> including configuration file /etc/raddb/modules/cui >> including configuration file /etc/raddb/modules/realm >> including configuration file /etc/raddb/modules/attr_rewrite >> including configuration file /etc/raddb/modules/radutmp >> including configuration file /etc/raddb/modules/sradutmp >> including configuration file /etc/raddb/modules/detail.example.com >> including configuration file /etc/raddb/modules/linelog >> including configuration file /etc/raddb/modules/smsotp >> including configuration file /etc/raddb/modules/ippool >> including configuration file /etc/raddb/modules/wimax >> including configuration file /etc/raddb/modules/detail >> including configuration file /etc/raddb/modules/inner-eap >> including configuration file /etc/raddb/modules/passwd >> including configuration file /etc/raddb/modules/mschap >> including configuration file /etc/raddb/modules/files >> including configuration file /etc/raddb/modules/smbpasswd >> including configuration file /etc/raddb/modules/ldap >> including configuration file /etc/raddb/modules/etc_group >> including configuration file /etc/raddb/modules/always >> including configuration file /etc/raddb/modules/counter >> including configuration file /etc/raddb/modules/echo >> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login >> including configuration file /etc/raddb/modules/checkval >> including configuration file /etc/raddb/modules/sql_log >> including configuration file /etc/raddb/modules/pam >> including configuration file /etc/raddb/modules/mac2vlan >> including configuration file /etc/raddb/modules/chap >> including configuration file /etc/raddb/modules/pap >> including configuration file /etc/raddb/modules/mac2ip >> including configuration file /etc/raddb/modules/otp >> including configuration file /etc/raddb/modules/unix >> including configuration file /etc/raddb/modules/policy >> including configuration file /etc/raddb/modules/detail.log >> including configuration file /etc/raddb/modules/attr_filter >> including configuration file /etc/raddb/modules/acct_unique >> including configuration file /etc/raddb/modules/expr >> including configuration file /etc/raddb/modules/expiration >> including configuration file /etc/raddb/modules/logintime >> including configuration file /etc/raddb/modules/perl >> including configuration file /etc/raddb/modules/preprocess >> including configuration file /etc/raddb/eap.conf >> including configuration file /etc/raddb/policy.conf >> including files in directory /etc/raddb/sites-enabled/ >> including configuration file /etc/raddb/sites-enabled/default >> including configuration file /etc/raddb/sites-enabled/inner-tunnel >> including configuration file /etc/raddb/sites-enabled/control-socket >> group = radiusd >> user = radiusd >> including dictionary file /etc/raddb/dictionary >> main { >> prefix = "/usr" >> localstatedir = "/var" >> logdir = "/var/log/radius" >> libdir = "/usr/lib/freeradius" >> radacctdir = "/var/log/radius/radacct" >> hostname_lookups = no >> max_request_time = 30 >> cleanup_delay = 5 >> max_requests = 1024 >> allow_core_dumps = no >> pidfile = "/var/run/radiusd/radiusd.pid" >> checkrad = "/usr/sbin/checkrad" >> debug_level = 0 >> proxy_requests = yes >> log { >> stripped_names = no >> auth = no >> auth_badpass = no >> auth_goodpass = no >> } >> security { >> max_attributes = 200 >> reject_delay = 1 >> status_server = yes >> } >> } >> radiusd: #### Loading Realms and Home Servers #### >> proxy server { >> retry_delay = 5 >> retry_count = 3 >> default_fallback = no >> dead_time = 120 >> wake_all_if_all_dead = no >> } >> home_server localhost { >> ipaddr = 127.0.0.1 >> port = 1812 >> type = "auth" >> secret = "testing123" >> response_window = 20 >> max_outstanding = 65536 >> require_message_authenticator = no >> zombie_period = 40 >> status_check = "status-server" >> ping_interval = 30 >> check_interval = 30 >> num_answers_to_alive = 3 >> num_pings_to_alive = 3 >> revive_interval = 120 >> status_check_timeout = 4 >> irt = 2 >> mrt = 16 >> mrc = 5 >> mrd = 30 >> } >> home_server_pool my_auth_failover { >> type = fail-over >> home_server = localhost >> } >> realm example.com { >> auth_pool = my_auth_failover >> } >> realm LOCAL { >> } >> radiusd: #### Loading Clients #### >> client localhost { >> ipaddr = 127.0.0.1 >> require_message_authenticator = no >> secret = "testing123" >> nastype = "other" >> } >> radiusd: #### Instantiating modules #### >> instantiate { >> Module: Linked to module rlm_exec >> Module: Instantiating exec >> exec { >> wait = no >> input_pairs = "request" >> shell_escape = yes >> } >> Module: Linked to module rlm_expr >> Module: Instantiating expr >> Module: Linked to module rlm_expiration >> Module: Instantiating expiration >> expiration { >> reply-message = "Password Has Expired " >> } >> Module: Linked to module rlm_logintime >> Module: Instantiating logintime >> logintime { >> reply-message = "You are calling outside your allowed timespan " >> minimum-timeout = 60 >> } >> } >> radiusd: #### Loading Virtual Servers #### >> server inner-tunnel { >> modules { >> Module: Checking authenticate {...} for more modules to load >> Module: Linked to module rlm_pap >> Module: Instantiating pap >> pap { >> encryption_scheme = "auto" >> auto_header = no >> } >> Module: Linked to module rlm_chap >> Module: Instantiating chap >> Module: Linked to module rlm_mschap >> Module: Instantiating mschap >> mschap { >> use_mppe = yes >> require_encryption = no >> require_strong = no >> with_ntdomain_hack = no >> } >> Module: Linked to module rlm_unix >> Module: Instantiating unix >> unix { >> radwtmp = "/var/log/radius/radwtmp" >> } >> Module: Linked to module rlm_eap >> Module: Instantiating eap >> eap { >> default_eap_type = "md5" >> timer_expire = 60 >> ignore_unknown_eap_types = no >> cisco_accounting_username_bug = no >> max_sessions = 2048 >> } >> Module: Linked to sub-module rlm_eap_md5 >> Module: Instantiating eap-md5 >> Module: Linked to sub-module rlm_eap_leap >> Module: Instantiating eap-leap >> Module: Linked to sub-module rlm_eap_gtc >> Module: Instantiating eap-gtc >> gtc { >> challenge = "Password: " >> auth_type = "PAP" >> } >> Module: Linked to sub-module rlm_eap_tls >> Module: Instantiating eap-tls >> tls { >> rsa_key_exchange = no >> dh_key_exchange = yes >> rsa_key_length = 512 >> dh_key_length = 512 >> verify_depth = 0 >> pem_file_type = yes >> private_key_file = "/etc/raddb/certs/server.pem" >> certificate_file = "/etc/raddb/certs/server.pem" >> CA_file = "/etc/raddb/certs/ca.pem" >> private_key_password = "whatever" >> dh_file = "/etc/raddb/certs/dh" >> random_file = "/etc/raddb/certs/random" >> fragment_size = 1024 >> include_length = yes >> check_crl = no >> cipher_list = "DEFAULT" >> make_cert_command = "/etc/raddb/certs/bootstrap" >> cache { >> enable = no >> lifetime = 24 >> max_entries = 255 >> } >> } >> Module: Linked to sub-module rlm_eap_ttls >> Module: Instantiating eap-ttls >> ttls { >> default_eap_type = "md5" >> copy_request_to_tunnel = no >> use_tunneled_reply = no >> virtual_server = "inner-tunnel" >> include_length = yes >> } >> Module: Linked to sub-module rlm_eap_peap >> Module: Instantiating eap-peap >> peap { >> default_eap_type = "mschapv2" >> copy_request_to_tunnel = no >> use_tunneled_reply = no >> proxy_tunneled_request_as_eap = yes >> virtual_server = "inner-tunnel" >> } >> Module: Linked to sub-module rlm_eap_mschapv2 >> Module: Instantiating eap-mschapv2 >> mschapv2 { >> with_ntdomain_hack = no >> } >> Module: Checking authorize {...} for more modules to load >> Module: Linked to module rlm_realm >> Module: Instantiating suffix >> realm suffix { >> format = "suffix" >> delimiter = "@" >> ignore_default = no >> ignore_null = no >> } >> Module: Linked to module rlm_files >> Module: Instantiating files >> files { >> usersfile = "/etc/raddb/users" >> acctusersfile = "/etc/raddb/acct_users" >> preproxy_usersfile = "/etc/raddb/preproxy_users" >> compat = "no" >> } >> Module: Checking session {...} for more modules to load >> Module: Linked to module rlm_radutmp >> Module: Instantiating radutmp >> radutmp { >> filename = "/var/log/radius/radutmp" >> username = "%{User-Name}" >> case_sensitive = yes >> check_with_nas = yes >> perm = 384 >> callerid = yes >> } >> Module: Checking post-proxy {...} for more modules to load >> Module: Checking post-auth {...} for more modules to load >> Module: Linked to module rlm_attr_filter >> Module: Instantiating attr_filter.access_reject >> attr_filter attr_filter.access_reject { >> attrsfile = "/etc/raddb/attrs.access_reject" >> key = "%{User-Name}" >> } >> } # modules >> } # server >> server { >> modules { >> Module: Checking authenticate {...} for more modules to load >> Module: Linked to module rlm_ldap >> Module: Instantiating ldap >> ldap { >> server = "localhost" >> port = 389 >> password = "" >> identity = "" >> net_timeout = 1 >> timeout = 4 >> timelimit = 3 >> tls_mode = no >> start_tls = no >> tls_require_cert = "allow" >> tls { >> start_tls = no >> require_cert = "allow" >> } >> basedn = "dc=example,dc=com" >> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" >> base_filter = "(objectclass=radiusprofile)" >> auto_header = no >> access_attr_used_for_allow = yes >> groupname_attribute = "cn" >> groupmembership_filter = >> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" >> dictionary_mapping = "/etc/raddb/ldap.attrmap" >> ldap_debug = 0 >> ldap_connections_number = 5 >> compare_check_items = no >> do_xlat = yes >> set_auth_type = yes >> } >> rlm_ldap: Registering ldap_groupcmp for Ldap-Group >> rlm_ldap: Registering ldap_xlat with xlat_name ldap >> rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap >> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ >> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ >> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type >> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use >> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id >> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id >> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password >> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password >> rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password >> rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password >> rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password >> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT >> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration >> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address >> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type >> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol >> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address >> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask >> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route >> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing >> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id >> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU >> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression >> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host >> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service >> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port >> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number >> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id >> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network >> rlm_ldap: LDAP radiusClass mapped to RADIUS Class >> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout >> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout >> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action >> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service >> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node >> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group >> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS >> Framed-AppleTalk-Link >> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS >> Framed-AppleTalk-Network >> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS >> Framed-AppleTalk-Zone >> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit >> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port >> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message >> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type >> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type >> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS >> Tunnel-Private-Group-Id >> conns: 0x89d0250 >> Module: Checking authorize {...} for more modules to load >> Module: Linked to module rlm_preprocess >> Module: Instantiating preprocess >> preprocess { >> huntgroups = "/etc/raddb/huntgroups" >> hints = "/etc/raddb/hints" >> with_ascend_hack = no >> ascend_channels_per_line = 23 >> with_ntdomain_hack = no >> with_specialix_jetstream_hack = no >> with_cisco_vsa_hack = no >> with_alvarion_vsa_hack = no >> } >> Module: Checking preacct {...} for more modules to load >> Module: Linked to module rlm_acct_unique >> Module: Instantiating acct_unique >> acct_unique { >> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, >> NAS-Port" >> } >> Module: Checking accounting {...} for more modules to load >> Module: Linked to module rlm_detail >> Module: Instantiating detail >> detail { >> detailfile = >> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" >> header = "%t" >> detailperm = 384 >> dirperm = 493 >> locking = no >> log_packet_header = no >> } >> Module: Instantiating attr_filter.accounting_response >> attr_filter attr_filter.accounting_response { >> attrsfile = "/etc/raddb/attrs.accounting_response" >> key = "%{User-Name}" >> } >> Module: Checking session {...} for more modules to load >> Module: Checking post-proxy {...} for more modules to load >> Module: Checking post-auth {...} for more modules to load >> } # modules >> } # server >> radiusd: #### Opening IP addresses and Ports #### >> listen { >> type = "auth" >> ipaddr = * >> port = 0 >> } >> listen { >> type = "acct" >> ipaddr = * >> port = 0 >> } >> listen { >> type = "control" >> listen { >> socket = "/var/run/radiusd/radiusd.sock" >> } >> } >> Listening on authentication address * port 1812 >> Listening on accounting address * port 1813 >> Listening on command file /var/run/radiusd/radiusd.sock >> Listening on proxy address * port 1814 >> Ready to process requests. >> >> ---> >> >> NOW, when I try the auth: >> radtest ldapuser 121212 localhost 2 testing123 >> >> I get this output on the client side >> >> Sending Access-Request of id 207 to 127.0.0.1 port 1812 >> User-Name = "ldapuser" >> User-Password = "MTIxMjEyIA==" >> NAS-IP-Address = 127.0.0.1 >> NAS-Port = 2 >> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207, >> length=20 >> >> AND this one on the radius server side: >> >> rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207, >> length=60 >> User-Name = "ldapuser" >> User-Password = "MTIxMjEyIA==" >> NAS-IP-Address = 127.0.0.1 >> NAS-Port = 2 >> +- entering group authorize {...} >> ++[preprocess] returns ok >> ++[chap] returns noop >> ++[mschap] returns noop >> [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL >> [suffix] No such realm "NULL" >> ++[suffix] returns noop >> [eap] No EAP-Message, not doing EAP >> ++[eap] returns noop >> ++[unix] returns notfound >> ++[files] returns noop >> [ldap] performing user authorization for ldapuser >> [ldap] expand: %{Stripped-User-Name} -> >> [ldap] expand: %{User-Name} -> ldapuser >> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> >> (uid=ldapuser) >> [ldap] expand: dc=example,dc=com -> dc=example,dc=com >> rlm_ldap: ldap_get_conn: Checking Id: 0 >> rlm_ldap: ldap_get_conn: Got Id: 0 >> rlm_ldap: attempting LDAP reconnection >> rlm_ldap: (re)connect to localhost:389, authentication 0 >> rlm_ldap: bind as / to localhost:389 >> rlm_ldap: waiting for bind result ... >> rlm_ldap: Bind was successful >> rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser) >> [ldap] looking for check items in directory... >> [ldap] looking for reply items in directory... >> WARNING: No "known good" password was found in LDAP. Are you sure that >> the user is configured correctly? >> [ldap] Setting Auth-Type = LDAP >> [ldap] user ldapuser authorized to use remote access >> rlm_ldap: ldap_release_conn: Release Id: 0 >> ++[ldap] returns ok >> ++[expiration] returns noop >> ++[logintime] returns noop >> [pap] WARNING! No "known good" password found for the user. >> Authentication may fail because of this. >> ++[pap] returns noop >> Found Auth-Type = LDAP >> +- entering group LDAP {...} >> [ldap] login attempt by "ldapuser" with password "MTIxMjEyIA==" >> [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com >> rlm_ldap: (re)connect to localhost:389, authentication 1 >> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA== >> to localhost:389 >> rlm_ldap: waiting for bind result ... >> rlm_ldap: Bind failed with invalid credentials >> ++[ldap] returns reject >> Failed to authenticate the user. >> Using Post-Auth-Type Reject >> +- entering group REJECT {...} >> [attr_filter.access_reject] expand: %{User-Name} -> ldapuser >> attr_filter: Matched entry DEFAULT at line 11 >> ++[attr_filter.access_reject] returns updated >> Delaying reject of request 0 for 1 seconds >> Going to the next request >> Waking up in 0.5 seconds. >> Sending delayed reject for request 0 >> Sending Access-Reject of id 207 to 127.0.0.1 port 36725 >> Waking up in 4.9 seconds. >> Cleaning up request 0 ID 207 with timestamp +1224 >> Ready to process requests. >> >> Do you have any idea? >> I'm not seeing something? >> >> >> Regards, >> Max >> >> >>> >>> -- >>> Fajar >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> >>> ------------------------------------------------------------------------ >>> If you reply to this email, your message will be added to the discussion >>> below: >>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html >>> >>> To unsubscribe from FreeRadius - LDAP, click here >>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4615085&code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx>. >>> >> >> >> -- >> View this message in context: >> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html >> Sent from the FreeRadius - User mailing list archive at Nabble.com.- >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- :: P u r p l e s r l :: security and network :: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano :: web: www.purplesrl.com :: Massimiliano Tommasi :: email: m.tomm...@purplesrl.com :: phone: +39 02 36687280 :: fax: +39 02 700511249 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html