Title: RE: freeradius ldap and chap authentication problems
something is not ok yet:
radiusd.conf:
ldap {
Auth-Type := LDAP
server = "ldap.gemnet.nl"
identity = "cn=directory manager"
password = dirmgr12
basedn = "c=NL"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = no
tls_mode = no
profile_attribute = "radiusProfileDn"
dictionary_mapping = ${raddbdir}/ldap.attrmap
password_attribute = "userPassword"
password_header = "{clear}"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
<<<<<>>>>
authorize {
preprocess
ldap {
notfound = return
}
chap
sql
}
authenticate {
authtype CHAP {
chap
}
}
<<<<<<>>>>>>>>>>>>>>>>>>>>>>>
Radius.log after dial-in:
rad_recv: Access-Request packet from host 172.25.108.209:1814, id=21, length=133
NAS-IP-Address = 172.28.192.1
NAS-Port = 5
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
Called-Station-Id = "578750011"
Calling-Station-Id = "555778822"
CHAP-Password = 0x6da696ba2e24f6b98e7875851e1b02b55f
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x313435
CHAP-Challenge = "\352\362\221\202\333O{' \341\270\345^3"3"
modcall: entering group authorize
hints: Matched DEFAULT at 63
modcall[authorize]: module "preprocess" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for tjeerd
radius_xlat: '(uid=tjeerd)'
radius_xlat: 'c=NL'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.gemnet.nl:389, authentication 0
rlm_ldap: bind as cn=directory manager/dirmgr12 to ldap.gemnet.nl:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in c=NL, with filter (uid=tjeerd)
rlm_ldap: Password header not found in password {SSHA}J+fitIGC+3np1EKD3PFs/y04OAT9KBNEES2ZQA== for user tjeerd
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value { & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user tjeerd authorized to use remote access
ldap_release_conn: Release Id: 0
Tjeerd
> -----Original Message-
> From: Kostas Kalevras [mailto:[EMAIL PROTECTED]]
> Sent: woensdag 4 juni 2003 22:35
> To: [EMAIL PROTECTED]
> Subject: RE: freeradius ldap and chap authentication problems
>
>
> On Tue, 3 Jun 2003, Tjeerd Bos wrote:
>
> > >"Tjeerd Bos" <[EMAIL PROTECTED]> wrote:
> > >> rlm_chap: login attempt by "tjeerd" with CHAP password
> > bip=C2v!?=F1?e=E7?= 5??=FA=E4
> > >> rlm_chap: Using clear text password { for user tjeerd
> authentication.
>
> !!!
>
> ok, without looking at your rlm_ldap config i can bet that
> you have configured
> the password_header directive wrong. Fix it and it will work.
>
> > >> rlm_chap: Pasword check failed
> > >Does that make ANY sense? Alan DeKok.
> >
> > When I use sql authentication with authentication protocol
> chap in stead of
> > ldap authentication it's working fine.
> > In ldap the passwords are stored in clear text.
> > The problem is that the incoming request at the ggaaa
> server is a chap
> > challenge. It is not possible to reconstruct the password
> in clear text from
> > this challenge. The ldap authentication will fail.
> > When I use the radtest command on the bbaaa server the
> password is in clear
> > text. With this clear text password the authentication to
> ldap is ok.
> >
> >
> > with regards,
> >
> > Tjeerd Bos
> >
> >
> > PinkRoccade Infrastructure Services
> > Trusted Services
> > Apeldoorn
> >
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>