Re: special characters in passwords + FR + ldap
Hi, From: Natalia Escalera [EMAIL PROTECTED] I was wondering if someone has any idea of how to solve the problem of special characters(e.g. $) in FreeRadius 1.1.0. Have you tried FreeRADIUS 1.1. which was released last week? According to the ChangeLog the bug #261 has been fixed and it was the attributes retreived from ldap are truncated at first space bug, which sounded very similar to our problem: http://bugs.freeradius.org/show_bug.cgi?id=261 -- Tero Turtiainen Technology Services Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hi, From: Natalia Escalera [EMAIL PROTECTED] We have made a small fix to the ldap-module (as seen in the link to the mailing list archive). I don't know if this has been fixed in 1.1.0. I once had a quick look at the ldap-module of 1.1.0, it should be quite easy to test if it still fails. The password issue is also in FR 1.1.0. Thats weird. The bug is so easy to spot and should be trivial to fix. And I think it will affect many FR installations. -- Tero Turtiainen Technology Services Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: special characters in passwords + FR + ldap
Hi, -Original Message- Date: Sat, 4 Mar 2006 15:19:32 -0600 From: Natalia Escalera [EMAIL PROTECTED] Hello, What is needed is that Freeradius accepts passwors even if special charaters are part of them. This is what is happening: pass$word - FR - LDAP - FR (Answer: wrong password) Any ideas of how to solve it? This looks very much like the feature we have seen with FR 0.9.3. Passwords with a special character are truncated, resulting in password check failing. http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-July/045 560.html This may be related to this bug, which is still open (I don't agree with the severity=minor :) http://bugs.freeradius.org/show_bug.cgi?id=261 We have made a small fix to the ldap-module (as seen in the link to the mailing list archive). I don't know if this has been fixed in 1.1.0. I once had a quick look at the ldap-module of 1.1.0, it should be quite easy to test if it still fails. -- Tero Turtiainen Technology Services Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Password with comma fail with LDAP
Hi, We have FreeRADIUS 0.9.3 using LDAP for authorisation. We now have a problem that for example password with certain characters is cut. For example password test,ing is cut to test. This is caused by the gettoken function in src/lib/token.c which is used by the rlm_ldap module. Google search seems to indicate that the same problem has been with the SQL-module which also uses gettoken. This kind of behaviour is of course quite evil. Is our problem unique? I made a quick test fix by replacing all occurences of gettoken in src/modules/rlm_ldap/rlm_ldap.c with getbareword-function (also in src/lib/token.c) which does not care about the tokens I have looked at this a little bit more and I still don't get it. Why does the LDAP-module use the gettoken() function? I have thought that the authorisation data stored in LDAP should be usually taken as is, but in the LDAP/gettoken case it seems that there could also be some special handling. But in our case this breaks the password handling if the password contains some of those delimiters (like ,= etc...). Storing the passwords in MD5 or some other one-way encryption is not a solution as CHAP is used for authentication. And the gettoken also breaks other attributes, not just passwords. Is there something that I don't understand or is this a bug in the LDAP-module? Replacing gettoken with getbareword in the rlm_ldap.c seemed to fix this, but this may brake a lot of other things... :) Or should this be discussed in freeradius-devel? -- Tero Turtiainen Telecom, Media Entertainment Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password with comma fail with LDAP
Hi, We have FreeRADIUS 0.9.3 using LDAP for authorisation. We now have a problem that for example password with certain characters is cut. For example password test,ing is cut to test. This is caused by the gettoken function in src/lib/token.c which is used by the rlm_ldap module. Google search seems to indicate that the same problem has been with the SQL-module which also uses gettoken. This kind of behaviour is of course quite evil. Is our problem unique? This seems so obvious problem that I would guess that it has been encountered before. I looked at the CVS version and my guess is that this has not been fixed. I made a quick test fix by replacing all occurences of gettoken in src/modules/rlm_ldap/rlm_ldap.c with getbareword-function (also in src/lib/token.c) which does not care about the tokens and thus does not cut the attribute value if it contains comma, semicolon, brace or any other of the magic characters. Does this fix break more things than it fixes? Is it a valid fix in this case? Any better solutions? -- Tero Turtiainen Telecom, Media Entertainment Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to authenticate different domains from different sources?
Hi, I am using FreeRADIUS 0.9.3 and I have a setup where user names (e.g. joe) with no domain or one of the known domains (e.g. [EMAIL PROTECTED]) are authorised from LDAP. User names with unknown domain (e.g. [EMAIL PROTECTED]) are proxied to another RADIUS-server and I have no control over this server. Now there is a need to try to authenticate some user names with unknown domain from a special application using rlm_exec. The domain could be anything, so this clashes with the proxying. In some cases [EMAIL PROTECTED] could be authenticated from the special application, but [EMAIL PROTECTED] should be proxied. So now I am wondering if/how this could be done? Maybe the authentication requests where the user name includes a domain could be first authenticated from the special application and if that fails then the request could be proxied, but is it possible to configure FreeRADIUS this way? So far I haven't figured out how this could be configured. It seems that doing one thing, either the proxying or authentication from the special application is easy, but combining these two are causing me a headache. -- Tero Turtiainen Telecom, Media Entertainment Capgemini [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A bug iin check-radiusd-config
Hi, I think there is a bug in check-radiusd-config in 0.9.3. This has been tested in Solaris 6 and the easiest way to reproduce this is to add some garbage to the top part of radiusd.conf. For example right after the prefix etc definitions: $INCLUDE $a_file_that_does_not_exist When check-radiusd-config is run the output is: Radius server configuration looks OK. The startup.log however shows the error: Unable to open file $a_file_that_does_not_exist: No such file or directory Errors reading radiusd.conf When the faulty include-line is moved to the end of radiusd.conf, check-radiusd-config works as expected and the output is: Unable to open file $a_file_that_does_not_exist: No such file or directory Errors reading radiusd.conf It seems that if radiusd started by check-radiusd-config exits too quickly (for example, there is a configuration error in the beginning of the configuration file), the configuration is always found to be ok. This can be quite nasty if you have faster hardware where the configuration processing may always be pretty fast. This is quite nasty feature in our environment which involves some semi-automated configuration file updates and we haven't figured out how to fix this. I guess the best way to avoid having problems with this is not to make any configuration errors... (Sorry if there is a silly disclaimer after the signature) -- Tero Turtiainen Telecom, Media Entertainment Capgemini [EMAIL PROTECTED] Our name has changed. Please update your address book to the following format: [EMAIL PROTECTED]. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problems with radwho
[EMAIL PROTECTED] wrote: I'm having problems getting utmp accounting to work properly on FreeRadius (latest version). When the NAS sends an account-request packet to radius, everything seems ok except for the following line seen in the debug window: rlm_radutmp: No NAS-Port seen. Cannot do anything. rlm_radumtp: WARNING: checkrad will probably not work! The corresponding Access Request packet from the NAS contains: NAS-Port-Type = Virtual. NAS-Port-Type does not help here. NAS-Port-Type indicates the type of the port in the NAS where the user is connected. NAS-Port, which is neede by the radutmp, indicates the actual physical port where the user is connected to. So, for one kind of NAS with one kind of connections, the NAS-Port-Type could be the same for every connection, but the NAS-Port would differ. I'm using a HP Procurve 6108 switch. I suspect that radius wants me to set the NAS-Port-Type to ethernet or similar, however I do not know how to get the switch to send a NAS-Port-Type that radius will like. radwho also does not work for my netscreen boxes. The problem here is not the NAS-Port-Type but the lack of NAS-Port. (sorry for the disclaimer at the end... :) -- Tero Turtiainen Telecom, Media Entertainment Capgemini [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail File
Hi, Alan DeKok [EMAIL PROTECTED] wrote: Bobby R. Cox [EMAIL PROTECTED] wrote: I would like the detail file/dir to look like this... /usr/var/radius/radaccthostname/detail The server doesn't look up hostnames, because it takes too long. I am not sure on the syntax to get the host name to show rather then the client ip address. ln -s I would suggest using the variable %C which is replaced with the clientname, ie. the shortname of the clients definition in the clients.conf file. So configuring the defail-module with: detailfile = ${radacctdir}/%C/detail will create the detail-files in directories with a more meaningful name (if you define those meaningful names in clients.conf :) instead of the IP-address. The potential problem is however that according to doc/variables.txt, the one-character variables are only provided for backwards compatibility, they don't support all the features of the longer variable names, they will propably be removed in a future release and the %C variable does not have a longer alias (like %{Clientname}). Are they going to be removed and would it be useful to make the %{Clientname} alias for %C? -- Tero Turtiainen TELECOM MEDIA NETWORKS Cap Gemini Ernst Young [EMAIL PROTECTED] This message contains information that may be privileged or confidential and is the property of the Cap Gemini Ernst Young Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html