Re: rlm_ldap wont authenticate
Hello,
In your radiusd.conf:
server = "localhost"
identity = "cn=admin,o=My Org,c=UA"
password = mypass
basedn = "ou=People,dc=example,dc=com"
password_attribute = "userPassword"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
make sure that you have the correct configuration for the variables listed above. If you do, and you still cannot authenticate a user, it may be that your ldap server is returning referrals to other servers. To avoid referrals, go to your
ldap.conf in the freeradius server and add the line: referrals no
Hope it helps,
Natalia.
On 4/3/06, monish ar <[EMAIL PROTECTED]> wrote:
I've tried to authenticate to an LDAP server through RADIUS using the rlm_ldap module
I'm using freeradius 1.1.0 with OpenLdap 2.1.8 with a bdb backend.
The problem is that rlm_ldap module binds successfully to an authentication request in the authorization section, but fails to bind
when its tryin to authenticate log for RADIUS server is given below along with the LDAP configuration... plz help me out
/* In the client terminal ,now i've tried to authenticate with user : ldapuser
[EMAIL PROTECTED] ~]# radtest ldapuser ldapuser localhost 2 testing123
Sending Access-Request of id 119 to 127.0.0.1 port 1812
User-Name = "ldapuser"
User-Password = "ldapuser"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
rad_recv: Access-Reject packet from host 127.0.0.1:1812
, id=119, length=20 *
// On the server side, response to ldapuser user authentication request...
rad_recv: Access-Request packet from host 127.0.0.1:32769
, id=119, length=60
User-Name = "ldapuser"
User-Password = "ldapuser"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403'
rlm_detail: /usr/local//var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local//var/log/radius/radacct/127.0.0.1/auth-detail-20060403
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 158
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser
radius_xlat: '(uid=ldapuser)'
radius_xlat: 'ou=People,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter (uid=ldapuser)
rlm_ldap: Added password {crypt}$1$nwby/I64$ORzJuBh4/Ec3c.FAt2oqV0 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "ldapuser" with password "ldapuser"
rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/ldapuser to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
modcall[authenticate]: module "ldap" returns reject for request 0
modcall: leaving group LDAP (returns reject) for request 0
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client localhost port 2)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 119 to 127.0.0.1 port 32769
Waking up in 4 seconds...
// THE CONFIGURATION DETAILS REQUIRED FOR RLM_LDAP AUTHENTICATION ARE BELOW
/* example.com.
Re: special characters in passwords + FR + ldap
Hi, Thank you for the support, we will try it out in that way. Natalia On 3/30/06, Alan DeKok <[EMAIL PROTECTED]> wrote: "Natalia Escalera" <[EMAIL PROTECTED]> wrote: > Command:> /usr/local/bin/radtest username "test$2006" x.x.x.x 1 test123> Output:> Sending Access-Request of id 215 to x.x.x.x port 1812> User-Name = "username"> User-Password = "test006"#<- No dollar sign, no number 2 $2 is a Unix shell variable. This has nothing to do with FreeRADIUS./usr/local/bin/radtest username 'test$2006' x.x.x.x 1 test123will work. Note SINGLE quotes, not DOUBLE quotes.Alan DeKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hello,We tried FR 1.1.1 and we are still having problems with passwords containing special characters like '$' for the LDAP authentication. In FR 1.1.0 the '$' was replaced by a character such as '%24'. For the new version, the symbol '$' is deleted as well as the character that is next to it. Here is an example of the executed command and its output: Command:/usr/local/bin/radtest username "test$2006" x.x.x.x 1 test123 Output:Sending Access-Request of id 215 to x.x.x.x port 1812User-Name = "username"User-Password = " test006" #<- No dollar sign, no number 2NAS-IP-Address = 255.255.255.255NAS-Port = 1rad_recv: Access-Reject packet from host x.x.x.x:1812, id=215, length=20Can this situation be considered please? Thank you in advance, Natalia.On 3/27/06, Natalia Escalera <[EMAIL PROTECTED]> wrote:> Hi,> > We will try the new version and see if the problem was fixed. > > Thanks a lot.> Natalia.> > On 3/27/06, Turtiainen, Tero <[EMAIL PROTECTED]> wrote:> >> > Hi,> > > > > From: "Natalia Escalera" <[EMAIL PROTECTED]>> > >> > > I was wondering if someone has any idea of how to solve the problem of > > > special characters(e.g. $) in FreeRadius 1.1.0.> >> > Have you tried FreeRADIUS 1.1. which was released last week?> >> > According to the ChangeLog the bug #261 has been fixed and it was the > > "attributes retreived from ldap are truncated at first space" bug, which> > sounded very similar to our problem:> > http://bugs.freeradius.org/show_bug.cgi?id=261 > > --> > Tero Turtiainen> > Technology Services> > Capgemini> > [EMAIL PROTECTED]> >> > This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. > >> >> > -> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html> >> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hi, We will try the new version and see if the problem was fixed. Thanks a lot. Natalia. On 3/27/06, Turtiainen, Tero <[EMAIL PROTECTED]> wrote: > > Hi, > > > From: "Natalia Escalera" <[EMAIL PROTECTED]> > > > > I was wondering if someone has any idea of how to solve the problem of > > special characters(e.g. $) in FreeRadius 1.1.0. > > Have you tried FreeRADIUS 1.1. which was released last week? > > According to the ChangeLog the bug #261 has been fixed and it was the > "attributes retreived from ldap are truncated at first space" bug, which > sounded very similar to our problem: > http://bugs.freeradius.org/show_bug.cgi?id=261 > -- > Tero Turtiainen > Technology Services > Capgemini > [EMAIL PROTECTED] > > This message contains information that may be privileged or confidential and > is the property of the Capgemini Group. It is intended only for the person to > whom it is addressed. If you are not the intended recipient, you are not > authorized to read, print, retain, copy, disseminate, distribute, or use > this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hi, I was wondering if someone has any idea of how to solve the problem of special characters(e.g. $) in FreeRadius 1.1.0. Help is very appreciated. Thank you, Natalia. On 3/10/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > Hello, > > Do you have any suggestion of how to fix the problem? > > Thanks, > Natalia. > > On 3/9/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > > Hello, > > > > > how did you patch? > > > > What I did is that I took the rlm_ldap.c from FR 1.1.0 and replaced > > the content of the function ldap_pairget with the code shown on > > http://bugs.freeradius.org/showattachment.cgi?attach_id=112. Then I > > execute the './configure' and 'make' commands > > > > Natalia. > > > > On 3/9/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > > I attached a copy of the file rlm_ldap.c of radius 1.1.0 > > > > > > yes, your patched version is clearly borked - as you can see from > > > this snippet. > > > > > > > int vals_count; > > > > int vals_idx; > > > > char *ptr; > > > > char *value; > > > > TLDAP_RADIUS *element; > > > > LRAD_TOKEN token; > > > > LRAD_TOKEN token, operator; > > > > int is_generic_attribute; > > > > charvalue[256]; > > > > charbuf[MAX_STRING_LEN]; > > > > VALUE_PAIR *pairlist = NULL; > > > > VALUE_PAIR *newpair = NULL; > > > > chardo_xlat = FALSE; > > > > > > LRAD_TOKEN has dual definitions. it should look similar to: > > > > > >char **vals; > > >int vals_count; > > >int vals_idx; > > >char *ptr; > > >char *value; > > >TLDAP_RADIUS *element; > > >LRAD_TOKEN token, operator; > > >int is_generic_attribute; > > >charbuf[MAX_STRING_LEN]; > > >VALUE_PAIR *pairlist = NULL; > > >VALUE_PAIR *newpair = NULL; > > >chardo_xlat = FALSE; > > > > > > how did you patch? I notice that the patch is no longer clean against the > > > 1.1.x CVS code...which means that more headaches will occur. someone with > > > the drive/desire needs to modify the patch for the more recent source > > > > > > alan > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Avoiding ldapsearch on LDAP authentication
Hello,
It is my understanding that Freeradius uses Ldap search in order to
authenticate users and that the Ldap bind is used to point to the
location where the search will be done at the Ldap server.
I am using FR 1.1.0 but I think it is similar configuration in your FR version.
#users file
DEFAULT Auth-Type := LDAP
Fall-Through = 1
> rlm_ldap: object not found or got ambiguous search result
Check your basedn in raddiusd.conf
For debugging I recommend you to use Ethereal. It is very useful.
Natalia.
On 21 Mar 2006 14:29:22 +0900, MAEDA <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I'm running Freeradius 1.0.4 with OpenLDAP 2.2.29 on my Fedora Core 4
> box and try to configure radiusd so that ldap_search is not performed
> on authentication (i.e. just use ldap_bind for authentication). But
> so far, I've got no success. Radiusd seems to perform search anyway.
>
> I've read the document doc/rlm_ldap and followed the instruction, but
> I couldn't get it working (I must be missing something).
>
> I configured radiusd as follows:
>
> In users:
>
> DEFAULT Ldap-UserDn := `uid=%{User-Name},ou=people,dc=atusi,dc=org`,
> Auth-Type = LDAP
>
> In radiusd.conf:
> modules {
>
> ldap {
> server = "localhost"
> ldap_debug = 0x
> # identity = "cn=admin,o=My Org,c=UA"
> # password = mypass
> basedn = "ou=people,dc=atusi,dc=org"
> # filter =
> "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
>
> start_tls = no
>
> access_attr = "dialupAccess"
>
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
> ...
> }
>
> authorize {
> preprocess
> chap
> mschap
> suffix
> eap
> files
> }
>
> authenticate {
> Auth-Type PAP {
> pap
> }
> Auth-Type CHAP {
> chap
> }
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> ldap
> }
> eap
> }
>
> # All other parts are left as default.
>
> When I test my setup with:
> (echo 'User-Name=mytestuser'; echo 'User-Password = mypassword') |
> radclient -c 1 127.0.0.1 auth testing123
> radiusd (run with -X option) says:
>
> rad_recv: Access-Request packet from host 127.0.0.1:32791, id=183,
> length=43
> User-Name = "mytestuser"
> User-Password = "mypassword"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "mytestuser", looking up realm
> NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry DEFAULT at line 214
> modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "mytestuser" with password "mypassword"
> radius_xlat: '(uid=mytestuser)'
> radius_xlat: 'ou=people,dc=atusi,dc=org'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> ldap_bind
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection
> ldap_int_open_connection
> ldap_connect_to_host: TCP localhost:389
> ldap_new_socket: 6
> ldap_prepare_socket: 6
> ldap_connect_to_host: Trying 127.0.0.1:389
> ldap_connect_timeout: fd: 6 tm: 1 async: 0
> ldap_ndelay_on: 6
> ldap_is_sock_ready: 6
> ldap_ndelay_off: 6
> ldap_open_defconn: successful
> ldap_send_server_request
> rlm_ldap: waiting for bind result ...
> ldap_result msgid 1
> ldap_chkResponseList for msgid=1, all=1
> ldap_chkResponseList returns NULL
> wait4msg (timeout 4 sec, 0 usec), msgid 1
> wait4msg continue, msgid 1, all 1
> ** Connections:
> * host: localhost port: 389 (default)
> refcnt: 2 status: Connected
> last used: Tue Mar 21 13:31:12 2006
>
> ** Outstanding Requests:
> * msgid 1, origid 1, status InProgress
>outstanding referrals 0, parent count 0
> ** Response Queue:
>Empty
> ldap_chkResponseList for msgid=1, all=1
> lda
Re: special characters in passwords + FR + ldap
Hello, Do you have any suggestion of how to fix the problem? Thanks, Natalia. On 3/9/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > Hello, > > > how did you patch? > > What I did is that I took the rlm_ldap.c from FR 1.1.0 and replaced > the content of the function ldap_pairget with the code shown on > http://bugs.freeradius.org/showattachment.cgi?attach_id=112. Then I > execute the './configure' and 'make' commands > > Natalia. > > On 3/9/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi, > > > > > I attached a copy of the file rlm_ldap.c of radius 1.1.0 > > > > yes, your patched version is clearly borked - as you can see from > > this snippet. > > > > > int vals_count; > > > int vals_idx; > > > char *ptr; > > > char *value; > > > TLDAP_RADIUS *element; > > > LRAD_TOKEN token; > > > LRAD_TOKEN token, operator; > > > int is_generic_attribute; > > > charvalue[256]; > > > charbuf[MAX_STRING_LEN]; > > > VALUE_PAIR *pairlist = NULL; > > > VALUE_PAIR *newpair = NULL; > > > chardo_xlat = FALSE; > > > > LRAD_TOKEN has dual definitions. it should look similar to: > > > >char **vals; > >int vals_count; > >int vals_idx; > >char *ptr; > >char *value; > >TLDAP_RADIUS *element; > >LRAD_TOKEN token, operator; > >int is_generic_attribute; > >charbuf[MAX_STRING_LEN]; > >VALUE_PAIR *pairlist = NULL; > >VALUE_PAIR *newpair = NULL; > >chardo_xlat = FALSE; > > > > how did you patch? I notice that the patch is no longer clean against the > > 1.1.x CVS code...which means that more headaches will occur. someone with > > the drive/desire needs to modify the patch for the more recent source > > > > alan > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hello, > how did you patch? What I did is that I took the rlm_ldap.c from FR 1.1.0 and replaced the content of the function ldap_pairget with the code shown on http://bugs.freeradius.org/showattachment.cgi?attach_id=112. Then I execute the './configure' and 'make' commands Natalia. On 3/9/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi, > > > I attached a copy of the file rlm_ldap.c of radius 1.1.0 > > yes, your patched version is clearly borked - as you can see from > this snippet. > > > int vals_count; > > int vals_idx; > > char *ptr; > > char *value; > > TLDAP_RADIUS *element; > > LRAD_TOKEN token; > > LRAD_TOKEN token, operator; > > int is_generic_attribute; > > charvalue[256]; > > charbuf[MAX_STRING_LEN]; > > VALUE_PAIR *pairlist = NULL; > > VALUE_PAIR *newpair = NULL; > > chardo_xlat = FALSE; > > LRAD_TOKEN has dual definitions. it should look similar to: > >char **vals; >int vals_count; >int vals_idx; >char *ptr; >char *value; >TLDAP_RADIUS *element; >LRAD_TOKEN token, operator; >int is_generic_attribute; >charbuf[MAX_STRING_LEN]; >VALUE_PAIR *pairlist = NULL; >VALUE_PAIR *newpair = NULL; >chardo_xlat = FALSE; > > how did you patch? I notice that the patch is no longer clean against the > 1.1.x CVS code...which means that more headaches will occur. someone with > the drive/desire needs to modify the patch for the more recent source > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hello, I tried the patch on http://bugs.freeradius.org/showattachment.cgi?attach_id=112 for the function ldap_pairget in the file rlm_ldap.c but it gives me an error when executing the 'make' command saying that 'token' was already declared. This is where token is declared: --- LRAD_TOKEN token; + LRAD_TOKEN token, operator; --- May be the file in that page is corrupted. Can you please send me a copy of the file for the patch. Thank you in advance, Natalia. On 3/8/06, Turtiainen, Tero <[EMAIL PROTECTED]> wrote: > > Hi, > > > From: "Natalia Escalera" <[EMAIL PROTECTED]> > > > We have made a small fix to the ldap-module (as seen in the > > link to the > > > mailing list archive). I don't know if this has been fixed > > in 1.1.0. I > > > once had a quick look at the ldap-module of 1.1.0, it > > should be quite > > > easy to test if it still fails. > > > > The password issue is also in FR 1.1.0. > > Thats weird. The bug is so easy to spot and should be trivial > to fix. And I think it will affect many FR installations. > -- > Tero Turtiainen > Technology Services > Capgemini > [EMAIL PROTECTED] > > This message contains information that may be privileged or confidential and > is the property of the Capgemini Group. It is intended only for the person to > whom it is addressed. If you are not the intended recipient, you are not > authorized to read, print, retain, copy, disseminate, distribute, or use > this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hello Mr. Turtiainen: Thank you for your response. > We have made a small fix to the ldap-module (as seen in the link to the > mailing list archive). I don't know if this has been fixed in 1.1.0. I > once had a quick look at the ldap-module of 1.1.0, it should be quite > easy to test if it still fails. The password issue is also in FR 1.1.0. I will try the patch suggested on http://bugs.freeradius.org/show_bug.cgi?id=261 and see if it works for our implementation. Thank you, Natalia. On 3/7/06, Turtiainen, Tero <[EMAIL PROTECTED]> wrote: > > Hi, > > > -Original Message- > > Date: Sat, 4 Mar 2006 15:19:32 -0600 > > From: "Natalia Escalera" <[EMAIL PROTECTED]> > > > > Hello, > > > > What is needed is that Freeradius accepts passwors even if special > > charaters are part of them. This is what is happening: > > > > > > pass$word -> FR -> LDAP -> FR (Answer: wrong password) > > > > Any ideas of how to solve it? > > This looks very much like the feature we have seen with FR 0.9.3. > Passwords with a "special character" are truncated, resulting in > password check failing. > > http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045 > 560.html > > This may be related to this bug, which is still open (I don't agree > with the severity=minor :) > http://bugs.freeradius.org/show_bug.cgi?id=261 > > We have made a small fix to the ldap-module (as seen in the link to the > mailing list archive). I don't know if this has been fixed in 1.1.0. I > once had a quick look at the ldap-module of 1.1.0, it should be quite > easy to test if it still fails. > -- > Tero Turtiainen > Technology Services > Capgemini > [EMAIL PROTECTED] > > This message contains information that may be privileged or confidential and > is the property of the Capgemini Group. It is intended only for the person to > whom it is addressed. If you are not the intended recipient, you are not > authorized to read, print, retain, copy, disseminate, distribute, or use > this message or any part thereof. If you receive this message in error, > please notify the sender immediately and delete all copies of this message. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hello, What is needed is that Freeradius accepts passwors even if special charaters are part of them. This is what is happening: pass$word -> FR -> LDAP -> FR (Answer: wrong password) Any ideas of how to solve it? Thank you, Natalia. On 3/3/06, Alexei Monastyrnyi <[EMAIL PROTECTED]> wrote: > Hey. > > Does one need to handle it in any special way? > > I have deployment like this, where special chars work as good as normal > ones. > > Cisco VPN clients >-> Cisco PIX <-> FreeRADIUS <-> OpenLDAP. > > A. > > on 03/03/2006 00:28 Natalia Escalera wrote: > > Hello all, > > > > Do somebody know how to handle passwords having special characters in > > between (e.g. $ ) when doing freeradius-ldap authentication? > > > > Thank you, > > > > Natalia. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
special characters in passwords + FR + ldap
Hello all, Do somebody know how to handle passwords having special characters in between (e.g. $ ) when doing freeradius-ldap authentication? Thank you, Natalia. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello all, Mr. Sandworm, I really appreciate your help. Including 'referrals no' in ldap.conf works fine! Now the FR server receives an affirmative answer from the AD server. I also appreciate Mr. Dekok and Mr. Geek help for pointing me to the correct direction. Thank you, Nataly On 2/26/06, Sandworm <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > "Natalia Escalera" <[EMAIL PROTECTED]> wrote: > >I have another question, how can we avoid referrals coming from AD > >Ldap server? How can we specify those settings? > > >From the list archives: > > See http://lists.freeradius.org/pipermail/freeradius-users/2004- > October/037218.html > -BEGIN PGP SIGNATURE- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.4 > > wkYEARECAAYFAkQCP0sACgkQmw4BJyaatJ0v0wCfVh0g2C1mTgdDxuV6qzBqg8FxTnsA > nilt8+Zkbe4sXvs8HCpieRZ7kZQd > =B4JO > -END PGP SIGNATURE- > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
I have another question, how can we avoid referrals coming from AD Ldap server? How can we specify those settings? Thanks, Nataly On 2/25/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > I mean binddn... > > On 2/25/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > > Hello, > > > > How can we specify the bindn on radius.conf so we do not search as an > > anonymous user? > > > > Thank you, > > Nataly > > > > On 2/25/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > > > Hello, > > > What do you mean with qualify the LDAP search? > > > > > > Thanks. > > > Nataly > > > > > > On 2/25/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > > "Natalia Escalera" <[EMAIL PROTECTED]> wrote: > > > > > Thank you for the fast response. The password is clear-text. We are > > > > > using ethereal to debug why we are getting "Operations Error" on the > > > > > Search Result. > > > > > > > > See the list archives. You have to qualify the LDAP search. > > > > > > > > http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html > > > > > > > > Alan DeKok. > > > > - > > > > List info/subscribe/unsubscribe? See > > > > http://www.freeradius.org/list/users.html > > > > > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
I mean binddn... On 2/25/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > Hello, > > How can we specify the bindn on radius.conf so we do not search as an > anonymous user? > > Thank you, > Nataly > > On 2/25/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > > Hello, > > What do you mean with qualify the LDAP search? > > > > Thanks. > > Nataly > > > > On 2/25/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > > > "Natalia Escalera" <[EMAIL PROTECTED]> wrote: > > > > Thank you for the fast response. The password is clear-text. We are > > > > using ethereal to debug why we are getting "Operations Error" on the > > > > Search Result. > > > > > > See the list archives. You have to qualify the LDAP search. > > > > > > http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html > > > > > > Alan DeKok. > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello, How can we specify the bindn on radius.conf so we do not search as an anonymous user? Thank you, Nataly On 2/25/06, Natalia Escalera <[EMAIL PROTECTED]> wrote: > Hello, > What do you mean with qualify the LDAP search? > > Thanks. > Nataly > > On 2/25/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > > "Natalia Escalera" <[EMAIL PROTECTED]> wrote: > > > Thank you for the fast response. The password is clear-text. We are > > > using ethereal to debug why we are getting "Operations Error" on the > > > Search Result. > > > > See the list archives. You have to qualify the LDAP search. > > > > http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello, What do you mean with qualify the LDAP search? Thanks. Nataly On 2/25/06, Alan DeKok <[EMAIL PROTECTED]> wrote: > "Natalia Escalera" <[EMAIL PROTECTED]> wrote: > > Thank you for the fast response. The password is clear-text. We are > > using ethereal to debug why we are getting "Operations Error" on the > > Search Result. > > See the list archives. You have to qualify the LDAP search. > > http://www.nabble.com/FreeRadius-cannot-Authenticate-to-Windows-AD-t752989.html > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Microsoft Active Directory
Hello Mr. DeKok
Thank you for the fast response. The password is clear-text. We are
using ethereal to debug why we are getting "Operations Error" on the
Search Result. The Operation Errors comment is the following:
"In order to perform this operation a successful bind must be completed."
The search request on ethereal from Freeradius to the active directory
gives the following:
Message Type: Search Request
Message Length: 96
Response In: 469
Base DN: dc=test, dc=prt
Scope: subtree (0x02)
Derefence: Never (0x00)
Size Limit: 0
Time Limit: 4
Attributes only: False
Filter: (&(objectclass=person)(sAMAccountName=%u))
Attribute: uid we are not sending this attribute and we do not
know where it is specified on Freeradius
Here are the settings given for LDAP module on radius.conf and user file:
#radius.conf
ldap {
server="xxx.xx.xxx.xxx"
identity ="" # If this is suppose to be the bind dn???
password = "mypassword"
basedn ="dc=test,dc=prt"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter ="(&(objectclass=person) (sAMAccountName=%u))"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# tls_cacertfile= /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout =5
timelimit =4
net_timeout =2
compare_check_items = yes
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
eap
}
#users file
DEFAULT Auth-Type := LDAP
Fall-Through = 1
Can you please tell us if there is something wrong or if we are
missing something on the configuration files?
Thanks in advance,
Nataly
On 2/25/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
> "Natalia Escalera" <[EMAIL PROTECTED]> wrote:
> > I am setting up freeradius with Microsoft Active Directory. So far, I
> > am able to connect to the server but not to authenticate a user. Can
> > you please give me a hint of how the configuration files need to be
> > set in order to authenticate the user.
>
> If the RADIUS packets have clear-text passwords, then the normal
> LDAP module should work. If you're using PEAP or MS-CHAP, read
> "radiusd.conf",m and use "ntlm_auth".
>
> > Also, what is "3D" used for? (Example: server =3D your.ad.server.org ...)
>
> Nothing. It's an artifact of stupid mailers. 3D is ASCII for '='.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + Microsoft Active Directory
Hello, I am setting up freeradius with Microsoft Active Directory. So far, I am able to connect to the server but not to authenticate a user. Can you please give me a hint of how the configuration files need to be set in order to authenticate the user. Also, what is "3D" used for? (Example: server =3D your.ad.server.org ...) Thank you in advance, Nataly - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
