Re: rlm_ldap and auto_header
Alan DeKok wrote:
Tim Palmer wrote:
Full disclosure - I did try an install from ports, then removed the port
and rerun ldconfig. I did not recompile/install freeradius after the
port excercise.
===
Why yes, I did map Cleartext-Password, since the debug error ( and
various list postings) seemed clear on that:
ldap.attrmap:
checkItem Cleartext-Password userPassword
Don't do this. Delete this line. It's the SOURCE of all the problems.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To no one's surprise, you all are correct that auto_header shouldn't be
needed in the ldap module. The Cleartext-Password mapping didn't help,
but my base, original problem was carrying over a password_header =
{crypt} entry in the ldap module from our old (1.0.1) configuration.
Thanks for making it clear I shouldn't accept something just because it
works, if it isn't how it should work.
--
Tim Palmer
BestWeb Support
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
post the whole debug with auto_header disabled in ldap (and enabled in pap). You haven't mapped userPassword to Cleartext-Password by any chance? Ivan Kalik Kalik Informatika ISP Dana 11/11/2008, Tim Palmer [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output auto_headers = no. So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails. Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That is correct. I haven't yet tried disabling auto_header in pap module with it enabled in ldap, but enable/disable in ldap module, with it set in pap gives repeatable joy/no joy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Tim Palmer BestWeb Support - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
[EMAIL PROTECTED] wrote: Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword OK. Debug will moan about using User-Password if you are using clear text password. It will moan, replace it with Cleartext-Password - and things will still work. If you are using clear text passwords you can do this mapping to shut it up. Better practice would be to map it to something like radiusCleartextPassword and copy userPassword field there. But mapping encrypted passwords to Cleartext-Password is clearly wrong. Remove that mapping and auto_headers in pap will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What you say makes complete sense, but its still not working for me unless I have ldap do the auto_header. However, I'd done several things with this machine in this process, so I'm going to rebuild it and start from scratch, now that I am clear on exactly how this bit is supposed to work. Thank you for your input, tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
[EMAIL PROTECTED] wrote: No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output auto_headers = no. So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails. Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That is correct. I haven't yet tried disabling auto_header in pap module with it enabled in ldap, but enable/disable in ldap module, with it set in pap gives repeatable joy/no joy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap and auto_header
After fighting with an upgrade from freeradius-1.0.3 to 2.1.1, both do a
simple LDAP authorize/PAP authenticate (no tls, no eap, no chap, no
inner-tunnel, nothing else), I've stumbled on what seems to fix my
problem, and am curious if my fix makes sense, and will continue to be
supported. I'm not including full debug output and config files in this
post because I'm not looking for help on what I've done wrong, just
whether this part of the configuration is valid. I'm happy to provide
more detail if its desired.
Built from freeradius-server-2.1.1 source, downloaded about 2 weeks ago
from the Freeradius main site, on FreeBSD 7-1-PRERELEASE.
With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP
server, and after putting in a Cleartext-Passwrod entry in
ldap.attrsmap, rlm_ldap would authorize fine, and everything seemed ok,
except I couldn't get pap to understand the encryption scheme:
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[test/testing] (from client localhost port 1)
No amount of changing settings in modules/pap and other config files
would help. I finally noticed in the rlm_ldap debug output auto_headers
= no.
So, I set auto_headers = yes in modules/ldap, and login passes. Remove
it, and login fails.
Is it only some odd ball, simplistic configurations like mine that this
should be required? I was unable to find any mention of this as an ldap
module setting except in rlm_ldap.c, which I didn't think to look in
until after the fact.
Thank you for your time,
tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
