Re: [Fwd: LDAP CHAP born again]
Ryan Setiawan H wrote: > right now I have already installed 2.0.3 "Try installing 2.0.5" != "I installed 2.0.3" It's nice that it works... but... > It's just work :D thanks Alan however there is this strange string > "Please update your configuration so that the "known good" clear text > password is in Cleartext-Password, and not in User-Password." > after I digging the freeradius.org, I see people also have this minor > problem, and in a mail you say to change the attribute userpassword to > cleartext-password. > but in openldap schema v3 there isn't any attribute called > cleartext-password... > is there any explanation for this ... everyone if you don't mind :) . > still digging in openldap forum :) Don't worry about the message. It will be fixed in a later release of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: LDAP CHAP born again]
Alan DeKok wrote: Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. in time I will try install it, but if i can't make this ( LDAP CHAP ) clear... definitely I will encounter the same problem again :) 2.0.5 has many, many fixes that aren't in 1.1.7. Some things that are difficult to impossible in 1.1.7 are easy in 2.0.5. Alan DeKok. right now I have already installed 2.0.3 because the dependency just like 1.1.7 :D waw lot of change I see ... but here we go the debug User-Name = "testing" CHAP-Password = 0xee8f74f97f724f06e54a9862f98ccef299 +- entering group authorize ++[preprocess] returns ok rlm_chap: Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for testing expand: (uid=%u) -> (uid=testing) expand: ou=dialup,dc=zzz,dc=com -> ou=dialup,dc=zzz,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.11.17:389, authentication 0 rlm_ldap: bind as memberUid=radius,ou=admin,dc=zzz,dc=com/radiusjuga to 192.168.11.17:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: Password header not found in password Testing10 for user testing rlm_ldap: Added User-Password = Testing10 in check items --cut-- added user-password = Testing10 in check item this is the debug output difference compare to 1.1.7 --cut-- rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type CHAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! auth: type "CHAP" +- entering group CHAP rlm_chap: login attempt by "testing" with CHAP password rlm_chap: Using clear text password "Testing10" for user testing authentication. rlm_chap: chap user testing authenticated succesfully ++[chap] returns ok Login OK: [testing/] (from client local port 0) Finished request 0. Going to the next request Waking up in 4.9 seconds. It's just work :D thanks Alan however there is this strange string "Please update your configuration so that the "known good" clear text password is in Cleartext-Password, and not in User-Password." after I digging the freeradius.org, I see people also have this minor problem, and in a mail you say to change the attribute userpassword to cleartext-password. but in openldap schema v3 there isn't any attribute called cleartext-password... is there any explanation for this ... everyone if you don't mind :) . still digging in openldap forum :) Thanks Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: LDAP CHAP born again]
Ryan Setiawan H wrote: >> Try installing 2.0.5 in a separate directory and configuring it. Odds >> are it will work. > > in time I will try install it, but if i can't make this ( LDAP CHAP ) > clear... definitely I will encounter the same problem again :) 2.0.5 has many, many fixes that aren't in 1.1.7. Some things that are difficult to impossible in 1.1.7 are easy in 2.0.5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: LDAP CHAP born again]
Hi Alan, thanks for your reply Alan Dekok wrote : If the LDAP server gives FreeRADIUS the clear-text password, then CHAP should work. yes the LDAP server already gave clear text password, you can see in the debug below rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30, length=48 User-Name = "testing" CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f cut--. rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by dialupAccess rlm_ldap: Password header not found in password Testing1 for user testing And does CHAP work for this user? no... what I mean is the module ldap (rlm_ldap) could see the password for user testing that is Testing1 ( yes this is the password ) the LDAP should pass this clear text password ( Testing1 ) for module CHAP to authenticate also there is clue where parameter like password_header = "{clear}" password_attribute = userPassword password_radius_attribute = "User-Password" must be set but how? in the "ldap" section of radiusd.conf, where the LDAP parameters are configured. yes I've configure that string in radiusd.conf section ldap... for password_attribute, clearly it must contain userPassword ( attribute the LDAP server keeps the password ) but how about password_radius_attribute ? from the faq password_radius_attribute is radius attribute where the user password will be stored after being extracted from LDAP is password_radius_attribute should contain string "User-Password" or "Clear-text Password" or maybe "CHAP-Password? what attribute does CHAP read for authentication? i'm still trying to read the code ( like rlm_chap.c ) to see what attribut does rlm_chap read for the password that was passed by the module ldap. but it is so arcane and "debuging code twice hard as writing the code at first place" Don't read the code. It won't help you. yeah... it killing me ( the code ) :D anyone has solution for this matter? Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. in time I will try install it, but if i can't make this ( LDAP CHAP ) clear... definitely I will encounter the same problem again :) Thank You Ryan Setiawan H -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: LDAP CHAP born again]
Ryan Setiawan H wrote: > I've research & googling about LDAP and CHAP :D, but until now still > don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 : If the LDAP server gives FreeRADIUS the clear-text password, then CHAP should work. > rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30, > length=48 > User-Name = "testing" > CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f > cut--. > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter > (uid=testing) > rlm_ldap: checking if remote access for testing is allowed by dialupAccess > rlm_ldap: Password header not found in password Testing1 for user testing And does CHAP work for this user? > ---cut--- > * as you can see the radius module rlm_ldap can "see" the password for > user testing, here the next one Next one... what? Next request? Next user? > based on the faq on > http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F, > > it is possible for using chap with ldap backend, Yes. It is also likely that it's much easier on 2.0.5. > also there is clue > where parameter like > password_header = "{clear}" > password_attribute = userPassword > password_radius_attribute = "User-Password" > must be set but how? in the "ldap" section of radiusd.conf, where the LDAP parameters are configured. > i'm still trying to read the code ( like rlm_chap.c ) to see what > attribut does rlm_chap read for the password that was passed by the > module ldap. but it is so arcane and "debuging code twice hard as > writing the code at first place" Don't read the code. It won't help you. > anyone has solution for this matter? Try installing 2.0.5 in a separate directory and configuring it. Odds are it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: LDAP CHAP born again]
Hi all, I've research & googling about LDAP and CHAP :D, but until now still don't work ... here the debug, and btw i'm using freeradius-1.1.7_2 : rad_recv: Access-Request packet from host 192.168.8.88:4609, id=30, length=48 User-Name = "testing" CHAP-Password = 0x30e3e28c521fe0d81b988d2475dae76f3f cut--. rlm_ldap: Bind was successful rlm_ldap: performing search in ou=dialup,dc=zzz,dc=com, with filter (uid=testing) rlm_ldap: checking if remote access for testing is allowed by dialupAccess rlm_ldap: Password header not found in password Testing1 for user testing ---cut--- * as you can see the radius module rlm_ldap can "see" the password for user testing, here the next one rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testing authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module "chap" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '/' in User-Name = "testing", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "IPASS" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type CHAP auth: type "CHAP" Processing the authenticate section of radiusd.conf modcall: entering group CHAP for request 0 rlm_chap: login attempt by "testing" with CHAP password rlm_chap: Could not find clear text password for user testing modcall[authenticate]: module "chap" returns invalid for request 0 modcall: leaving group CHAP (returns invalid) for request 0 auth: Failed to validate the user. cut- *this is classic problem, but until now there wasn't any straight answer for this one based on the faq on http://wiki.freeradius.org/index.php/FAQ#How_do_I_make_CHAP_work_with_LDAP.3F, it is possible for using chap with ldap backend, also there is clue where parameter like password_header = "{clear}" password_attribute = userPassword password_radius_attribute = "User-Password" must be set but how? i'm still trying to read the code ( like rlm_chap.c ) to see what attribut does rlm_chap read for the password that was passed by the module ldap. but it is so arcane and "debuging code twice hard as writing the code at first place" anyone has solution for this matter? -- DISCLAIMER: The contents of this email and attachments are confidential and may be subject to legal privilege. Any unauthorized use, copying, disclosure or communicating any part of it to others is strictly prohibited and may be unlawful. If you are not the intended recipient you must not use, copy, distribute or rely on this email and should please return it immediately to the sender or notify us and delete the email and any attachments from your system. We cannot accept liability for loss or damage resulting from computer viruses. The integrity of email across the Internet cannot be guaranteed and PT BANK NISP, Tbk. will not accept liability for any claims arising as a result of the use of this medium for transmissions by or to PT BANK NISP, Tbk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html