Re: Which is Better LDAP or MySQL?
Actually, the answer is a little more straightforward when Radius is involved. No package including Radius should be reading from a flat file (cached or not). In the case of Radius, the users file can quickly become a problem after a few thousand users. With SQL, proper indexing can allow lookups to be fairly fast but even then after a few hundred thousand users, SQL starts to ache. LDAP used as a general purpose user/information store was designed to scale to literally millions of users so it does well as a back-end authentication source due to its scalability and speed (far faster than MySQL, Postgres, or Oracle for that matter). SQL (MySQL for example) on the other hand is quite nice for storing the Radius accounting data. Read from LDAP and write to SQL. H... A nice blend of technologies that excel in their respective areas. Our servers have run in this configuration almost flawlessly (given a few DOS attacks) and auth users in a few secondsafter PPP negotiations.
Re: LDAP authent/authorize and CHAP
To all who replied to this message, I found the LDAP/CHAP compatibility problem. I had everything correct in the author/authen sections. In fact, the answer was in the previously mentioned FAQ by Kostas. We also use the users file to set defaults after the LDAP authorization and it was erroneously setting Authtype := LDAP which was mentioned as something that should NOT be done in the http://www.freeradius.org/faq/#5.11; FAQ. After commenting that out in the users file, all is well. Thanks to all for the feedback as our CHAP auths are now working in perfect harmony with LDAP!! Pat McShane - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP authent/authorize and CHAP
Hello,
Can ANYONE suggest ANY WAY that might allow CHAP requests
to be handled even though we use LDAP to handle authentication
and authorization? Our passwords (userpassword attribute)
are stored in cleartext in the latest OpenLDAP so at least
we are prepared for CHAP. Maybe some sort of hack in the
users file?
We occasionaly see the following error:
Sun Jun 15 13:07:20 2003 : Auth: rlm_ldap: Attribute
User-Password is required for authentication.
Cannot use CHAP-Password.
Our auth sections look like:
authorize {
preprocess
chap
mschap
daily
attr_filter
suffix
ldap {
notfound = return
}
files
}
authenticate {
authtype PAP {
pap
}
authtype CHAP {
chap
}
authtype MS-CHAP {
mschap
}
authtype LDAP {
ldap
}
}
Thanks,
Pat McShane
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP/CHAP incompatible?
Please take a look at the FreeRadius v0.9-pre log entry below. We use rlm_ldap to handle authentication/authorization and we continue to get these occasional errors. I suppose it is someone trying to use CHAP. The CHAP and LDAP modules are both listed in our radiusd.conf. Our passwords are ALL stored in clear text (no headers) in an LDAP attribute called unixpassword which is mapped to User-Password. Any ideas anyone? radius.log output: Thu Apr 3 21:04:26 2003 : Error: rlm_radutmp: Logout entry for NAS galaxy port 1093 has wrong ID Thu Apr 3 20:07:17 2003 : Auth: rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. Thanks, Pat McShane - ICDC.COM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Handling crypt OR clear text encryption schemes for the pap module
Does anybody know of a way to get FreeRadius to handle either crypt OR
clear text encryption schemes for the pap module?
For example in radiusd.conf:
pap {
encryption_scheme = clear
encryption_scheme = crypt
}
We have some passwords stored in the LDAP password attribute as clear
text (to handle CHAP requests!!!) or they have a value like
{crypt}GHSN*SJJD (previous migration from old UNIX passwords).
Navis Radius currently looks at the preceding text tokens {crypt},
{plain}, or {SHA}. For example the LDAP attribute unixpassword
might contain:
unixpassword: {SHA}HDSUYD#*$*#$ (WEUDJI (Secure Hash Algorithym)
unixpassword: {crypt}HDSUYD#*$* (UNIX crypt)
unixpassword: mypassword(plain text)
Thanks,
Pat McShane - ICDC.COM
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using LDAP with v0.81
Hello, I was testing v0.81 against our existing LDAP DB and the searches worked fine. The LDAP module seemed to authenticate the LDAP user but then somewhere along the line, Auth-Type System failed to validate the user. We only want to validate/authenticate dialin users against LDAP so does anyone know where our configuration problem might exist? We went through the rlm_ldap doc and implemented all of the LDAP configuration options it suggested. Please advise. Thanks, Pat McShane - ICDC.COM OUTPUT FROM RADTEST [EMAIL PROTECTED] root]# radtest [EMAIL PROTECTED] ziggy localhost 0 testing123 Sending Access-Request of id 237 to 127.0.0.1:1812 User-Name = [EMAIL PROTECTED] User-Password = [EMAIL PROTECTED]:\332c_\341z\036\n\004rhS NAS-IP-Address = ziggy.icdc.com NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=237, length=20 [EMAIL PROTECTED] root]# OUTPUT FROM RADIUSD === rad_recv: Access-Request packet from host 127.0.0.1:32781, id=237, length=64 User-Name = [EMAIL PROTECTED] User-Password = ziggy NAS-IP-Address = 255.255.255.255 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop rlm_realm: Looking up realm icdc.com for User-Name = [EMAIL PROTECTED] rlm_realm: Found realm icdc.com rlm_realm: Adding Stripped-User-Name = pem rlm_realm: Proxying request from user pem to realm icdc.com rlm_realm: Adding Realm = icdc.com rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled modcall[authorize]: module suffix returns noop users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for pem radius_xlat: '(uid=pem)' radius_xlat: 'o=icdc.com' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ns6.icdc.com:389, authentication 0 rlm_ldap: bind as / to ns6.icdc.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=icdc.com, with filter (uid=pem) rlm_ldap: checking if remote access for pem is allowed by dialuptemplate rlm_ldap: Added password ziggy in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding unixpassword as Password, value ziggy op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user pem authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 237 to 127.0.0.1:32781 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 237 with timestamp 3e6ba8c3 Nothing to do. Sleeping until we see a request. BEGIN:VCARD VERSION:2.1 N:McShane;Patrick;E;Mr. FN:Patrick E McShane NICKNAME:Pat ORG:eJiva Inc.;Technology TITLE:Managing Principal Consultant NOTE;ENCODING=QUOTED-PRINTABLE:=0D=0A=0D=0A TEL;WORK;VOICE:(925) 227-6504 TEL;HOME;VOICE:925-416-0854 TEL;CELL;VOICE:925-437-0190 TEL;PAGER;VOICE:(800) 652-5887 TEL;WORK;FAX:(603) 947-9172 TEL;HOME;FAX:603-947-9172 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;eJiva Technology Center;5934 Gibraltar Drive=0D=0ASuite 200;Pleasanton;CA;9= 4588;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:eJiva Technology Center=0D=0A5934 Gibraltar Drive=0D=0ASuite 200=0D=0APleasa= nton, CA 94588=0D=0AUnited States of America ADR;HOME;ENCODING=QUOTED-PRINTABLE:;;3610 Andrews Drive=0D=0A;Pleasanton;CA;94588;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:3610 Andrews Drive=0D=0A=0D=0APleasanton, CA 94588=0D=0AUSA X-WAB-GENDER:2 URL;HOME:http://www.icdc.com/~pem URL;WORK:http://www.ejiva.com ROLE:Computer Consultant BDAY:19590503 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020311T232519Z END:VCARD
Using LDAP and MySQL with v0.81
Hello,
I was testing v0.81 against our existing LDAP DB and the searches worked
fine. Now have LDAP authentication working too. Finally, need to
start storing accounting records in MySQL. Are there any examples of
how this should look in the radiusd.conf accounting{} section? Please
advise.
Thanks,
Pat McShane - ICDC.COM
BEGIN:VCARD
VERSION:2.1
N:McShane;Patrick;E;Mr.
FN:Patrick E McShane
NICKNAME:Pat
ORG:eJiva Inc.;Technology
TITLE:Managing Principal Consultant
NOTE;ENCODING=QUOTED-PRINTABLE:=0D=0A=0D=0A
TEL;WORK;VOICE:(925) 227-6504
TEL;HOME;VOICE:925-416-0854
TEL;CELL;VOICE:925-437-0190
TEL;PAGER;VOICE:(800) 652-5887
TEL;WORK;FAX:(603) 947-9172
TEL;HOME;FAX:603-947-9172
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;eJiva Technology Center;5934 Gibraltar Drive=0D=0ASuite 200;Pleasanton;CA;9=
4588;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:eJiva Technology Center=0D=0A5934 Gibraltar Drive=0D=0ASuite 200=0D=0APleasa=
nton, CA 94588=0D=0AUnited States of America
ADR;HOME;ENCODING=QUOTED-PRINTABLE:;;3610 Andrews Drive=0D=0A;Pleasanton;CA;94588;USA
LABEL;HOME;ENCODING=QUOTED-PRINTABLE:3610 Andrews Drive=0D=0A=0D=0APleasanton, CA 94588=0D=0AUSA
X-WAB-GENDER:2
URL;HOME:http://www.icdc.com/~pem
URL;WORK:http://www.ejiva.com
ROLE:Computer Consultant
BDAY:19590503
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20020311T232519Z
END:VCARD
Using LDAP and Realms with v0.81
Hello, We're testing v0.81 against our existing LDAP DB and the searches worked fine. Now have LDAP authentication working too. We also need to pull different Radius attributes from LDAP depending on Realm name ([EMAIL PROTECTED]). Are there any examples of how this might be accomplished in a FreeRadius configuration? Please advise. Thanks, Pat McShane - ICDC.COM BEGIN:VCARD VERSION:2.1 N:McShane;Patrick;E;Mr. FN:Patrick E McShane NICKNAME:Pat ORG:eJiva Inc.;Technology TITLE:Managing Principal Consultant NOTE;ENCODING=QUOTED-PRINTABLE:=0D=0A=0D=0A TEL;WORK;VOICE:(925) 227-6504 TEL;HOME;VOICE:925-416-0854 TEL;CELL;VOICE:925-437-0190 TEL;PAGER;VOICE:(800) 652-5887 TEL;WORK;FAX:(603) 947-9172 TEL;HOME;FAX:603-947-9172 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;eJiva Technology Center;5934 Gibraltar Drive=0D=0ASuite 200;Pleasanton;CA;9= 4588;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:eJiva Technology Center=0D=0A5934 Gibraltar Drive=0D=0ASuite 200=0D=0APleasa= nton, CA 94588=0D=0AUnited States of America ADR;HOME;ENCODING=QUOTED-PRINTABLE:;;3610 Andrews Drive=0D=0A;Pleasanton;CA;94588;USA LABEL;HOME;ENCODING=QUOTED-PRINTABLE:3610 Andrews Drive=0D=0A=0D=0APleasanton, CA 94588=0D=0AUSA X-WAB-GENDER:2 URL;HOME:http://www.icdc.com/~pem URL;WORK:http://www.ejiva.com ROLE:Computer Consultant BDAY:19590503 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20020311T232519Z END:VCARD
