Re: Freeradius PEAP/MSCHAPv2 against Apple OpenDirectory

[m4xmr]

Hi,
have you found a solution or a workaround?
I have the same problem, you experienced.
I configured freeradius to "talk" with LDAP on Mac but at the end I realized
that in the userPassword field isn't saved the clear-text password of the
LDAP user.
OpenDirectory doesn't use that field and implements the authentication thru
Kerberos.
I've just recompiled freeradius with the rlm_opendirectory module enabled
and now I'm experiencing the problem you was talking about..., I suppose I
have to install freeradius on the same machine as OpenDirectory.
I'm pretty upset about it..., it's a little odd
Have you got some useful information about it?

Let me know, please.

Max

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Freeradius-PEAP-MSCHAPv2-against-Apple-OpenDirectory-tp2787113p4637821.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[m4xmr]

Il 20/07/11 10.19, Fajar A. Nugraha-2 [via FreeRadius] ha scritto:
> On Wed, Jul 20, 2011 at 3:07 PM, m4xmr <[hidden email]
> > wrote:
>> Hello,
>> I'm trying to make working LDAP as authentication backend for RADIUS.
>> I verified that the data are right and the query to LDAP is properly
> working
>> if I use ldapsearch.
> 
> does LDAP BIND work correctly using ldapsearch (i.e. ldapsearch -D)

I tried:  ldapsearch -x -b "dc=example,dc=com" "uid=ldapuser"
and it works good:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: uid=ldapuser
# requesting: ALL
#

# ldapuser, People, example.com
dn: uid=ldapuser,ou=People,dc=example,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: MTIxMjEyIA==
shadowLastChange: 15174
shadowMin: 0
shadowMax: 9
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/ldapuser

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

> 
>> rad_recv: Access-Request packet from host 127.0.0.1:59221, id=78,
> length=60
>>User-Name = "ldapuser"
>>User-Password = "121212"
> 
>> rlm_ldap: Setting Auth-Type = ldap
> 
> Hmmm ... that's odd. I thought rlm_ldap was supposed to just grab
> attributes (e.g. Cleartext-Password) and not set the Auth-Type? Are
> you doing anything special like forcing Auth-Type := LDAP?

I was following a tutorial, this one:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS
> 
>> rlm_ldap: user ldapuser authorized to use remote access
> 
> this line says there's a user called ldapuser
> 
>> rlm_ldap: - authenticate
>> rlm_ldap: login attempt by "ldapuser" with password "121212"
>> rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
>> rlm_ldap: (re)connect to localhost:389, authentication 1
>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/121212 to
>> localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind failed with invalid credentials
> 
> ... while this one says the bind failed. Is the password correct?

I configured that password..., it could be some problem of hasing..., maybe.

Anyway I have upgraded to FreeRADIUS Version 2.1.7
this is the output of radiusd -X

radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/otp
including configuration file 

FreeRadius - LDAP

[m4xmr]

Hello,
I'm trying to make working LDAP as authentication backend for RADIUS.
I verified that the data are right and the query to LDAP is properly working
if I use ldapsearch.
I experience this "rad_recv: Access-Reject packet from host 127.0.0.1:1812,
id=78, length=20" when I try from radtest ...

This is the output of radiusd in debug-mode:

rad_recv: Access-Request packet from host 127.0.0.1:59221, id=78, length=60
User-Name = "ldapuser"
User-Password = "121212"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser
radius_xlat:  '(uid=ldapuser)'
radius_xlat:  'dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
rlm_ldap: Added password 121212  in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "ldapuser" with password "121212"
rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/121212 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
  modcall[authenticate]: module "ldap" returns reject for request 2
modcall: leaving group LDAP (returns reject) for request 2
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client
localhost port 2)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...

I hope, someone could help me... I'm totally in stuck.

Regards,
Max 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615085.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html