FreeRadius - LDAP

[m4xmr]

Hello,
I'm trying to make working LDAP as authentication backend for RADIUS.
I verified that the data are right and the query to LDAP is properly working
if I use ldapsearch.
I experience this "rad_recv: Access-Reject packet from host 127.0.0.1:1812,
id=78, length=20" when I try from radtest ...

This is the output of radiusd in debug-mode:

rad_recv: Access-Request packet from host 127.0.0.1:59221, id=78, length=60
User-Name = "ldapuser"
User-Password = "121212"
NAS-IP-Address = 255.255.255.255
NAS-Port = 2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for ldapuser
radius_xlat:  '(uid=ldapuser)'
radius_xlat:  'dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
rlm_ldap: Added password 121212  in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "ldapuser" with password "121212"
rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/121212 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
  modcall[authenticate]: module "ldap" returns reject for request 2
modcall: leaving group LDAP (returns reject) for request 2
auth: Failed to validate the user.
Login incorrect (rlm_ldap: Bind as user failed): [ldapuser] (from client
localhost port 2)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...

I hope, someone could help me... I'm totally in stuck.

Regards,
Max 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615085.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + LDAP

[Brekler Custodio]

Hello guys, i was wondering, anyone knows how to configure an LDAP 
(phpldapadmin) to work with freeradius ?I search all over the web and couldnt 
find a tutorial that teachs how to configure a simple DB to work with FR.The FR 
is configured already, its very simple, but the LDAP i cant handle.
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius + LDAP

[Christopher Price]

I am running freeradius 1.0.0 and I am attempting to configure an LDAP
backend DB to authenticate Windows users. The Windows users are using
PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with
clear passwords, but now that the passwords are being hashed. I know
that LDAP stores cleartext passwords, but their must be some way to make
this work. Any help would be appreciated. 

Chris Price
Information Facilities Technician
Olivet Nazarene University
[EMAIL PROTECTED]
(815)928-5523

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + ldap

[Marzieh Raoufnezhad]

Hi,
I installed freeradius and configured it with LDAP and  installed pptp also
in debian lenny. I can login to radius server from windows and I have VPN
connection and internet.
Now I want to restrict my VPN users' bandwidth and internet charge(for
example 4G charge for each user), but I don't know how to do it with
freeradius+LDAP.

I would be grateful if you can answer me as soon as possible.
Regards,
Raoufnezhad
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + ldap

[Ana Gallardo]

Hello,

I'm using freeradius 2.1.10 and I want to use ldap like a backend in
authorize section to take userPassword attribute (unix crypt) to
authenticate the user.

My problem is: the ldap server don't have public key that an admin user (who
bind) can take. So I have to bind in the authorize section with the user and
password (clear text) in the request.

Is this posible?

What are my posibilities?

Here is my actual configuration in my test:

LDAP MODULE

ldap ldapPerson{
   server = "ldap."
   basedn = "ou=people,dc=unex,dc=es"
   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1
   tls {
  start_tls = no
   }
   dictionary_mapping = ${confdir}/ldapPerson.attrmap
   edir_account_policy_check = no
   set_auth_type = yes
}

SERVER

server test{

authorize {
  suffix
  files
  ldapPerson
  expiration
  pap
}

authenticate {
  Auth-Type PAP {
pap
  }
}

}


DEBUG

rad_recv: Access-Request packet from host X.X.X.X port 38152, id=201,
length=58
User-Name = "aigalla...@unex.es"
User-Password = "pass"
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm "unex.es" for User-Name = "aigalla...@unex.es"
[suffix] Found realm "unex.es"
[suffix] Adding Stripped-User-Name = "aigallardo"
[suffix] Adding Realm = "unex.es"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} -> aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to X :389, authentication 0
  [ldapPerson] bind as / to  :389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test



Thank you very much and sorry for my eglish.


++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Ldap

[Usuário do Sistema]

Hello everyone, I'm dificult with freeradius and LDAP.

the user autheticate only it's work when I put in the user file
User-Password clear text as follow.

"maicon.pereira"Cleartext-Password := "meleca"
Reply-Message = "Hello, %{User-Name}"
however, my integration between Freeradius and Ldap it isn't working.

My question is: there is possible to make the intragation?? because I've
read that freeradius needs supply to ldap User-Password clear text.

it's true ??

I wish to use the ldap as database authetication.


thank!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + ldap

[ludovic cailleau]

Good morning,     I have made an authentification 802.11x with Freeradius and his ‘user’ file. Now I would like to use Ldap.   I have made a configuration but it does not run.     Have you got a procedure of the configuration of Freeradius and Ldap?     thank
		 
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius+LDAP

[anderson souza]

Good morning to all!!  
  
He/she would like to know some of the friends  
he/she knows some referring documentation   
the freeradius implementation + LDAP or even  
same a possible "road of the stones" for  
the configuration in the debian sarge!!!  
  
at once I thank attention of all...  
  
Att.  
Anderson

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + LDAP

[anderson souza]

 Good morning to all!!
> 
> He/she would like to know some of the friends
> he/she knows some referring documentation
> the poptop implementation + freeradius + LDAP or even
> same a possible "road of the stones" for
> the configuration in the debian sarge!!!
> 
> at once I thank attention of all...
> 
> Att.
> Anderson
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius Ldap

[Cris Boisvert]

I'm setting up freeradius to talk to a Ipswitch Imail server for
authetication.

Just needs to do the basic  User  Pass... Ok.


LDAP Server is 192.168.77.6  (this is all private testing) (the imail
server)

Domain on the server is pork.com

A snippet of the config.
---
ldap {
server = "192.168.77.6"
#identity = "cn=root,o=My Org,c=UA"
#password = test1234
basedn = "o=My Org,c=UA"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# base_filter = "(objectclass=radiusprofile)"

# set this to 'yes' to use TLS encrypted connections
__--

I suspect that I'm having a problem with the Basedn.. On the imail server
the LDAP user and pass is 
Root and test1234


The actual mail account that I'm trying to autorize against is [EMAIL PROTECTED]
pass test


Below is  a Cut form radiusd -X debug..

Anyone have any reccomendations>?



modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "[EMAIL PROTECTED]" with password "test"
radius_xlat:  '([EMAIL PROTECTED])'
radius_xlat:  'o=My Org,c=UA'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.77.6:389, authentication 0
rlm_ldap: bind as / to 192.168.77.6:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=My Org,c=UA, with filter
([EMAIL PROTECTED])
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authenticate]: module "ldap" returns notfound for request 0
modcall: group Auth-Type returns notfound for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 37 to 192.168.77.6:2686
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 37 with timestamp 43345c56
Nothing to do.  Sleeping until we see a request.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius LDAP

[Cris Boisvert]

Cris Boisvert wrote:
> I'm setting up freeradius to talk to a Ipswitch Imail server for
> authetication.
> 
> Just needs to do the basic  User  Pass... Ok.
> 
> 
[..]
> A snippet of the config.
> ---
> ldap {
> server = "192.168.77.6"
> #identity = "cn=root,o=My Org,c=UA"
> #password = test1234
> basedn = "o=My Org,c=UA"
> #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
> 
> # set this to 'yes' to use TLS encrypted connections
> __--
> 
[..]
> Below is  a Cut form radiusd -X debug..
> 
> Anyone have any reccomendations>?
> 
> 
> 
>   modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "test at pork.com" with password "test"
> radius_xlat:  '(uid=test at pork.com)'
> radius_xlat:  'o=My Org,c=UA'

Do you really have an object with attribute iud="test at pork.com"?
I think you should split the username with delimiter '@', so you search
for uid=test,dc=pork,dc=com (or similiar).

But if you have such objects, try ldap_debug=0x between ldap { } in
your radiusd.conf.

Linus van Geuns




For testing purposes I do have a user of [EMAIL PROTECTED] 
I have set the debug option to 0x .. Their was no more debug info than
before.
Where in the radiusd.conf am I supposed to put "uid=test,dc=pork,dc=com "
reference?


Sorry I'm not really up on ldap..

Thanx


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + ldap

[Joe Hetrick]

Hey all,
	I'm currently doing a bit of battle with FreeRadius rlm_ldap.  I'm not 
quite sure where my problems lie, so I figured I'd ask the list.

	Background:
	
	New OpenLDAP install with what seemed to be working entries for 
qmail-ldap/pop3/courier-imap-ldap to be happy but I'm afraid I'm 
missing something for FreeRadius that I can't quite nail down.

	Sample LDIF for a user (with qmail specifics left in):

dn: [EMAIL PROTECTED],o=MyNet Networks,c=US
userPassword: {CRYPT}SNOUEr6lAxJJg
cn: Joe Mamma
sn: Mamma
objectClass: top
objectClass: person
objectClass: qmailuser
mailHost: testbox.mynet.net
mailMessageStore: /maildirs/joe/
uid: joe
uid: [EMAIL PROTECTED]
accountStatus: active
qmailDotMode: ldaponly
mailQuotaSize: 1
mailQuotaCount: 1
mail: [EMAIL PROTECTED]
mailAlternateAddress: [EMAIL PROTECTED]
FreeRadius 0.9.3 (not out of ports, obviously) , FreeBSD 4.9.

radiusd.conf:

 basedn = "o=MyNet Networks,c=US"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
radiusd -X -A with a ./radtest joe test localhost 0 secret (test is 
CRYPTed in the LDIF)

I have auth failure show up in radius debug:

Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:3453, id=12, 
length=55
User-Name = "joe"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "eap" returns noop for request 1
rlm_realm: No '@' in User-Name = "joe", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "joe" with password "test"
radius_xlat:  '(uid=joe)'
radius_xlat:  'o=MyNet Networks,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=MyNet Networks,c=US, with filter 
(uid=joe)
ldap_release_conn: Release Id: 0
rlm_ldap: user DN: [EMAIL PROTECTED],o=MyNet Networks,c=US
rlm_ldap: (re)connect to lance.mynet.net:389, authentication 1
rlm_ldap: bind as [EMAIL PROTECTED],o=MyNet Networks,c=US/test 
to lance.mynet.net:389
rlm_ldap: waiting for bind result ...
  modcall[authenticate]: module "ldap" returns reject for request 1
modcall: group Auth-Type returns reject for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 12 to 127.0.0.1:3453
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 12 with timestamp 4004b280
Nothing to do.  Sleeping until we see a request.

After some thought, I changed my crypt in the LDIF to something else, 
first SSHA, and then MD5, and all of a sudden
auth worked (with both).  Clearly I have a probem with CRYPT...

The only hint is in configure output:

checking for crypt.h... no
checking whether crypt must be declared... no
checking for crypt in -lcrypt... yes
This seems like everything is ok, but, clearly it isn't..

It wouldn't be a big deal, except I have many crypt'd PW's I'd intended 
on migrating into my directory that I would like  radius to auth 
against.

This may be better off in a FBSD list, but, I thought I'd ask here 
since I hadn't yet encountered the problem with any other
app i've been working with (except quite probably pam_ldap).

Thanks!

Joe

--
Joe Hetrick: jhetrick(at)avalon.net | Systems Admin Avalon Networks Inc.
perl -e 'print pack("H*","6a6865747269636b406176616c6f6e2e6e6574")'
Your Excuse is: Root name servers corrupted.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + Ldap + attributes

[Ivan .]

Hi

I have Freeradius configured with a backend of OpenLdap for user management.

I would like to be able to pass attributes for Nortel and Juniper
gear, which when statically defining users in user file is done via:

user  Auth-type:=Local, User-Password := "test"
Juniper-Local-User-Name ="DEV",
Service-Type = Administrative-User

Is there a way to pass these attributes when using Ldap for user management?

thanks
Ivan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius LDAP problem

[George Beitis]

Hi everyone
I have a problem.  I set up freeradius to use a local ldap server to
authenticate a user.  When i say authenticate i mean check if the user
is there, check their password, and accept or reject them.  When i do
such an authentication i get a message from freeradius saying that user
is authorised successfully but when it goes to the authentication
section it uses a unix module, fails and rejects the user.  I tried
commenting in the post auth ldap section, and commented it out again but
nothing.  Does the authorized successfully part mean the user is there
but cant compare the passwords or something?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[Fajar A. Nugraha]

On Wed, Jul 20, 2011 at 3:07 PM, m4xmr  wrote:
> Hello,
> I'm trying to make working LDAP as authentication backend for RADIUS.
> I verified that the data are right and the query to LDAP is properly working
> if I use ldapsearch.

does LDAP BIND work correctly using ldapsearch (i.e. ldapsearch -D)

> rad_recv: Access-Request packet from host 127.0.0.1:59221, id=78, length=60
>        User-Name = "ldapuser"
>        User-Password = "121212"

> rlm_ldap: Setting Auth-Type = ldap

Hmmm ... that's odd. I thought rlm_ldap was supposed to just grab
attributes (e.g. Cleartext-Password) and not set the Auth-Type? Are
you doing anything special like forcing Auth-Type := LDAP?

> rlm_ldap: user ldapuser authorized to use remote access

this line says there's a user called ldapuser

> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "ldapuser" with password "121212"
> rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/121212 to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind failed with invalid credentials

... while this one says the bind failed. Is the password correct?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[m4xmr]

[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for ldapuser
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> ldapuser
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=ldapuser)
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user ldapuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "ldapuser" with password "MTIxMjEyIA=="
[ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials
++[ldap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ldapuser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.5 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 207 to 127.0.0.1 port 36725
Waking up in 4.9 seconds.
Cleaning up request 0 ID 207 with timestamp +1224
Ready to process requests.

Do you have any idea?
I'm not seeing something?


Regards,
Max


> 
> -- 
> Fajar
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> 
> If you reply to this email, your message will be added to the discussion
> below:
> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html
> 
> To unsubscribe from FreeRadius - LDAP, click here
> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4615085&code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx>.
> 


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[up]

 = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
> NAS-Port"
>   }
>  Module: Checking accounting {...} for more modules to load
>  Module: Linked to module rlm_detail
>  Module: Instantiating detail
>   detail {
>   detailfile = 
> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>   header = "%t"
>   detailperm = 384
>   dirperm = 493
>   locking = no
>   log_packet_header = no
>   }
>  Module: Instantiating attr_filter.accounting_response
>   attr_filter attr_filter.accounting_response {
>   attrsfile = "/etc/raddb/attrs.accounting_response"
>   key = "%{User-Name}"
>   }
>  Module: Checking session {...} for more modules to load
>  Module: Checking post-proxy {...} for more modules to load
>  Module: Checking post-auth {...} for more modules to load
>  } # modules
> } # server
> radiusd:  Opening IP addresses and Ports 
> listen {
>   type = "auth"
>   ipaddr = *
>   port = 0
> }
> listen {
>   type = "acct"
>   ipaddr = *
>   port = 0
> }
> listen {
>   type = "control"
>  listen {
>   socket = "/var/run/radiusd/radiusd.sock"
>  }
> }
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /var/run/radiusd/radiusd.sock
> Listening on proxy address * port 1814
> Ready to process requests.
>
> --->
>
> NOW, when I try the auth:
> radtest ldapuser 121212 localhost 2 testing123
>
> I get this output on the client side
>
> Sending Access-Request of id 207 to 127.0.0.1 port 1812
>   User-Name = "ldapuser"
>   User-Password = "MTIxMjEyIA=="
>   NAS-IP-Address = 127.0.0.1
>   NAS-Port = 2
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207,
> length=20
>
> AND this one on the radius server side:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207,
> length=60
>   User-Name = "ldapuser"
>   User-Password = "MTIxMjEyIA=="
>   NAS-IP-Address = 127.0.0.1
>   NAS-Port = 2
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> [ldap] performing user authorization for ldapuser
> [ldap]expand: %{Stripped-User-Name} ->
> [ldap]expand: %{User-Name} -> ldapuser
> [ldap]expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=ldapuser)
> [ldap]expand: dc=example,dc=com -> dc=example,dc=com
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
> [ldap] looking for check items in directory...
> [ldap] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that
> the user is configured correctly?
> [ldap] Setting Auth-Type = LDAP
> [ldap] user ldapuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = LDAP
> +- entering group LDAP {...}
> [ldap] login attempt by "ldapuser" with password "MTIxMjEyIA=="
> [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
> to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind failed with invalid credentials
> ++[ldap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]   expand: %{User-Name} -> ldapuser
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.5 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 207 to 127.0.0.1 port 36725
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 207 with timestamp +1224
> Ready to process requests.
>
> Do you have any idea?
> I'm not seeing something?
>
>
> Regards,
> Max
>
>
>>
>> --
>> Fajar
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>> 
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html
>>
>> To unsubscribe from FreeRadius - LDAP, click here
>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4615085&code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx>.
>>
>
>
> --
> View this message in context:
> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.-
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[Massimiliano Tommasi]

ng session {...} for more modules to load
>>  Module: Checking post-proxy {...} for more modules to load
>>  Module: Checking post-auth {...} for more modules to load
>>  } # modules
>> } # server
>> radiusd:  Opening IP addresses and Ports 
>> listen {
>>  type = "auth"
>>  ipaddr = *
>>  port = 0
>> }
>> listen {
>>  type = "acct"
>>  ipaddr = *
>>  port = 0
>> }
>> listen {
>>  type = "control"
>>  listen {
>>  socket = "/var/run/radiusd/radiusd.sock"
>>  }
>> }
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on command file /var/run/radiusd/radiusd.sock
>> Listening on proxy address * port 1814
>> Ready to process requests.
>>
>> --->
>>
>> NOW, when I try the auth:
>> radtest ldapuser 121212 localhost 2 testing123
>>
>> I get this output on the client side
>>
>> Sending Access-Request of id 207 to 127.0.0.1 port 1812
>>  User-Name = "ldapuser"
>>  User-Password = "MTIxMjEyIA=="
>>  NAS-IP-Address = 127.0.0.1
>>  NAS-Port = 2
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207,
>> length=20
>>
>> AND this one on the radius server side:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207,
>> length=60
>>  User-Name = "ldapuser"
>>  User-Password = "MTIxMjEyIA=="
>>  NAS-IP-Address = 127.0.0.1
>>  NAS-Port = 2
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns notfound
>> ++[files] returns noop
>> [ldap] performing user authorization for ldapuser
>> [ldap]   expand: %{Stripped-User-Name} ->
>> [ldap]   expand: %{User-Name} -> ldapuser
>> [ldap]   expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> (uid=ldapuser)
>> [ldap]   expand: dc=example,dc=com -> dc=example,dc=com
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to localhost:389, authentication 0
>> rlm_ldap: bind as / to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that
>> the user is configured correctly?
>> [ldap] Setting Auth-Type = LDAP
>> [ldap] user ldapuser authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>> ++[pap] returns noop
>> Found Auth-Type = LDAP
>> +- entering group LDAP {...}
>> [ldap] login attempt by "ldapuser" with password "MTIxMjEyIA=="
>> [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
>> rlm_ldap: (re)connect to localhost:389, authentication 1
>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
>> to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind failed with invalid credentials
>> ++[ldap] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> +- entering group REJECT {...}
>> [attr_filter.access_reject]  expand: %{User-Name} -> ldapuser
>>  attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.5 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 207 to 127.0.0.1 port 36725
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 207 with timestamp +1224
>> Ready to process requests.
>>
>> Do you have any idea?
>> I'm not seeing something?
>>
>>
>> Regards,
>> Max
>>
>>
>>>
>>> --
>>> Fajar
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> 
>>> If you reply to this email, your message will be added to the discussion
>>> below:
>>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html
>>>
>>> To unsubscribe from FreeRadius - LDAP, click here
>>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4615085&code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx>.
>>>
>>
>>
>> --
>> View this message in context:
>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.-
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
:: P u r p l e   s r l
:: security and network
:: via Vittorio Veneto 8/B :: i-20091 Bresso - Milano
:: web: www.purplesrl.com

:: Massimiliano Tommasi
:: email: m.tomm...@purplesrl.com
:: phone: +39 02 36687280 :: fax: +39 02 700511249

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius - LDAP

[Massimiliano Tommasi]

Timeout
>> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
>> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
>> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
>> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
>> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
>> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
>> Framed-AppleTalk-Link
>> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
>> Framed-AppleTalk-Network
>> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
>> Framed-AppleTalk-Zone
>> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
>> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
>> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
>> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
>> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
>> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
>> Tunnel-Private-Group-Id
>> conns: 0x89d0250
>>  Module: Checking authorize {...} for more modules to load
>>  Module: Linked to module rlm_preprocess
>>  Module: Instantiating preprocess
>>   preprocess {
>>  huntgroups = "/etc/raddb/huntgroups"
>>  hints = "/etc/raddb/hints"
>>  with_ascend_hack = no
>>  ascend_channels_per_line = 23
>>  with_ntdomain_hack = no
>>  with_specialix_jetstream_hack = no
>>  with_cisco_vsa_hack = no
>>  with_alvarion_vsa_hack = no
>>   }
>>  Module: Checking preacct {...} for more modules to load
>>  Module: Linked to module rlm_acct_unique
>>  Module: Instantiating acct_unique
>>   acct_unique {
>>  key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
>> NAS-Port"
>>   }
>>  Module: Checking accounting {...} for more modules to load
>>  Module: Linked to module rlm_detail
>>  Module: Instantiating detail
>>   detail {
>>  detailfile = 
>> "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>>  header = "%t"
>>  detailperm = 384
>>  dirperm = 493
>>  locking = no
>>  log_packet_header = no
>>   }
>>  Module: Instantiating attr_filter.accounting_response
>>   attr_filter attr_filter.accounting_response {
>>  attrsfile = "/etc/raddb/attrs.accounting_response"
>>  key = "%{User-Name}"
>>   }
>>  Module: Checking session {...} for more modules to load
>>  Module: Checking post-proxy {...} for more modules to load
>>  Module: Checking post-auth {...} for more modules to load
>>  } # modules
>> } # server
>> radiusd:  Opening IP addresses and Ports 
>> listen {
>>  type = "auth"
>>  ipaddr = *
>>  port = 0
>> }
>> listen {
>>  type = "acct"
>>  ipaddr = *
>>  port = 0
>> }
>> listen {
>>  type = "control"
>>  listen {
>>  socket = "/var/run/radiusd/radiusd.sock"
>>  }
>> }
>> Listening on authentication address * port 1812
>> Listening on accounting address * port 1813
>> Listening on command file /var/run/radiusd/radiusd.sock
>> Listening on proxy address * port 1814
>> Ready to process requests.
>>
>> --->
>>
>> NOW, when I try the auth:
>> radtest ldapuser 121212 localhost 2 testing123
>>
>> I get this output on the client side
>>
>> Sending Access-Request of id 207 to 127.0.0.1 port 1812
>>  User-Name = "ldapuser"
>>  User-Password = "MTIxMjEyIA=="
>>  NAS-IP-Address = 127.0.0.1
>>  NAS-Port = 2
>> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=207,
>> length=20
>>
>> AND this one on the radius server side:
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 36725, id=207,
>> length=60
>>  User-Name = "ldapuser"
>>  User-Password = "MTIxMjEyIA=="
>>  NAS-IP-Address = 127.0.0.1
>>  NAS-Port = 2
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>> [suffix] No '@' in User-Name = "ldapuser", looking up realm NULL
>> [suffix] No such realm "NULL"
>> ++[suffix] returns noop
>> [eap] No EAP-Message, not doing EAP
>> ++[eap] returns noop
>> ++[unix] returns notfound
>> ++[files] returns noop
>> [ldap] performing user authorization for ldapuser
>> [ldap]   expand: %{Stripped-User-Name} ->
>> [ldap]   expand: %{User-Name} -> ldapuser
>> [ldap]   expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
>> (uid=ldapuser)
>> [ldap]   expand: dc=example,dc=com -> dc=example,dc=com
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0
>> rlm_ldap: attempting LDAP reconnection
>> rlm_ldap: (re)connect to localhost:389, authentication 0
>> rlm_ldap: bind as / to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items in directory...
>> WARNING: No "known good" password was found in LDAP.  Are you sure that
>> the user is configured correctly?
>> [ldap] Setting Auth-Type = LDAP
>> [ldap] user ldapuser authorized to use remote access
>> rlm_ldap: ldap_release_conn: Release Id: 0
>> ++[ldap] returns ok
>> ++[expiration] returns noop
>> ++[logintime] returns noop
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>> ++[pap] returns noop
>> Found Auth-Type = LDAP
>> +- entering group LDAP {...}
>> [ldap] login attempt by "ldapuser" with password "MTIxMjEyIA=="
>> [ldap] user DN: uid=ldapuser,ou=People,dc=example,dc=com
>> rlm_ldap: (re)connect to localhost:389, authentication 1
>> rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/MTIxMjEyIA==
>> to localhost:389
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind failed with invalid credentials
>> ++[ldap] returns reject
>> Failed to authenticate the user.
>> Using Post-Auth-Type Reject
>> +- entering group REJECT {...}
>> [attr_filter.access_reject]  expand: %{User-Name} -> ldapuser
>>  attr_filter: Matched entry DEFAULT at line 11
>> ++[attr_filter.access_reject] returns updated
>> Delaying reject of request 0 for 1 seconds
>> Going to the next request
>> Waking up in 0.5 seconds.
>> Sending delayed reject for request 0
>> Sending Access-Reject of id 207 to 127.0.0.1 port 36725
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 207 with timestamp +1224
>> Ready to process requests.
>>
>> Do you have any idea?
>> I'm not seeing something?
>>
>>
>> Regards,
>> Max
>>
>>
>>>
>>> --
>>> Fajar
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>> 
>>> If you reply to this email, your message will be added to the discussion
>>> below:
>>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615111.html
>>>
>>> To unsubscribe from FreeRadius - LDAP, click here
>>> <http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4615085&code=bS50b21tYXNpQHB1cnBsZXNybC5jb218NDYxNTA4NXwxMTQ4Njc3MDIx>.
>>>
>>
>>
>> --
>> View this message in context:
>> http://freeradius.1045715.n5.nabble.com/FreeRadius-LDAP-tp4615085p4615357.html
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.-
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Troubleshooting FreeRadius +LDAP

[Ricardo Sousa]

Greetings list users,

I'm trying setup FreeRadius to work with LDAP in a deployment of ClearOS and 
have followed this How-To 
http://www.clearfoundation.com/docs/howtos/setting_up_freeradius2_to_use_ldap 
and this How-To http://deployingradius.com/documents/configuration/pap.html 
with success, up to the part of the inital radtest with credentials inserted in 
the users file. But when trying to use credentials from the LDAP directory, the 
Radius server returns an Access-Reject packet. 
Below is the output from the debug mode. 

***
login as: root
root@192.168.3.5's password:
Last login: Mon Sep 12 13:31:45 2011 from 192.168.3.2
[root@system ~]# service radiusd stop
Stopping RADIUS server:[  OK  ]
[root@system ~]# radiusd -X
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on May 19 2010 
at 13:10:59
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clearos-clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/clearos-eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/clearos-inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd:  Loa

AW: Freeradius + LDAP

[Matthias Nagel]

Hello,
what exactly ist your problem?
a) Do you want to know how to configure a web administration GUI (phpldapadmin) 
for your LDAP server? Then your problem is purly related to LDAP server, PHP 
and a web server. Hence, this is Thermometer wrong mailing list to ask for 
advice.

b) Or do you want to know how to use a LDAP directory as a password backend? 
But then this question has nothing to do with phpldapadmin. You said, that 
RADIUS is already configured and running. Where are the user credentials stored 
at the moment?

Matthias

Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
ICQ: 499797758
Skype: nagmat84Brekler Custodio  hat geschrieben:Hello 
guys, i was wondering, anyone knows how to configure an LDAP (phpldapadmin) to 
work with freeradius ?
I search all over the web and couldnt find a tutorial that teachs how to 
configure a simple DB to work with FR.
The FR is configured already, its very simple, but the LDAP i cant handle.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PPTP + FreeRadius + LDAP

[Douglas Macedo]

Hey guys,

i'm trying configure a VPN Server with PPTP, using the 'radiusclient', to
connect on a FreeRadius, with auth in a LDAP Server.

I "finished" the configure, but when a try connect with a client Windows XP,
don't work.

The radiusd -X output:

=
[EMAIL PROTECTED] /usr/local/etc/raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/var"
 main: logdir = "/var/log"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/var/log/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded LDAP
 ldap: server = "ldap.telemedicina.ufsc.br"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = "XXX"
 ldap: basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
 ldap: filter = "(&(objectClass=posixAccount)(uid=%u))"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "{Cleartext-Password}"
 ldap: password_attribute = "sambaNTPassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP r

FreeRADIUS LDAP HOWTO

[Andrew Hall]

I'd just like to make other subscribers / searchers / admins pulling
their hair out aware of the FreeRADIUS LDAP HOWTO available here...

http://freeradius.org/radiusd/doc/ldap_howto.txt

For some reason it doesn't seem to be linked to on any main website or
wiki page - bizarrely including the HOWTO page...

http://wiki.freeradius.org/HOWTO

Perhaps this can be rectified?

I wish I'd found it earlier !

Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Secure FreeRADIUS & LDAP

[Dan Hawker]

Hi All,

I used to use FreeRADIUS *years* back (iirc pre v1) on Linux and it
worked rather well :)

Not touched it since, however have just started a new contract and
there is a requirement to use a RADIUS server to connect to our LDAP
box (Red Hat Dir Server) to in turn authenticate some users/equipment
that can't auth directly, but due to the nature of the environment,
all datastores and comms have to be secured/encrypted.

As the host will be RHEL5, FreeRADIUS would seem the ideal candidate
(comes with it, although a rather ancient 1.1.3 version by default,
can upgrade if needed), however before I start installing and testing,
wondered whether it will satisfy the secure part of the requirements.

So... My questions...
# Can freeradius talk to the ldap box using TLS/SSL (ldaps)
# Can freeradius read hashed credentials from the LDAP store and then
actually use them???
# There may be a requirement to use certificates for auth, can the
ldap/freeradius module handle certs???

Am sure there will be other issues/questions but until then.

TIA

Dan

-- 
--
Dan Hawker
danhaw...@googlemail.com
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Alan DeKok]

"Christopher Price" <[EMAIL PROTECTED]> wrote:
> I am running freeradius 1.0.0 and I am attempting to configure an LDAP
> backend DB to authenticate Windows users. The Windows users are using
> PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with
> clear passwords, but now that the passwords are being hashed.

  Which passwords are being hashed?  Are the passwords in LDAP hashed,
or clear-text?

>  I know that LDAP stores cleartext passwords,

  Are you sure?  If it did, then MS-CHAP would work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Christopher Price]

  
  

  Well, I had the LDAP auth working when I passed a cleartext password, so I assumed that they were stored in the clear. (I am not the administrator of the eDirectory server that I am authenticating against) I attempted to use the Microsoft built-in 802.1x client in conjunction with my wireless system, but it is not working when I use this method. The Windows clients are using PEAP-MSCHAPv2 and the authentication works if I use a local database on the freeradius server. As soon as I switch to a LDAP DB the authentication fails saying "rlm_ldap: search failed".

 
>>>[EMAIL PROTECTED] 10/04 2:08 pm >>>

 
"Christopher Price" <[EMAIL PROTECTED]> wrote:

 
>I am running freeradius 1.0.0 and I am attempting to configure an LDAP

 
>backend DB to authenticate Windows users. The Windows users are using

 
>PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with

 
>clear passwords, but now that the passwords are being hashed.

 
 
 Which passwords are being hashed?  Are the passwords in LDAP hashed,

 
or clear-text?

 
 
> I know that LDAP stores cleartext passwords,

 
 
 Are you sure?  If it did, then MS-CHAP would work.

 
 
 Alan DeKok.

 
 
-

 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

Re: FreeRadius + LDAP

[Alan DeKok]

"Christopher Price" <[EMAIL PROTECTED]> wrote:
> Well, I had the LDAP auth working when I passed a cleartext password, so
> I assumed that they were stored in the clear.

  No.  Read the debug log to see what kind of passwords are read from LDAP.

> I attempted to use the Microsoft built-in 802.1x client in conjunction
> with my wireless system, but it is not working when I use this method.

  Well, yes.

> The Windows clients are using PEAP-MSCHAPv2 and the authentication works
> if I use a local database on the freeradius server. As soon as I switch
> to a LDAP DB the authentication fails saying rlm_ldap: search failed. 

  And the real debug log is... ?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Christopher Price]

  
  

  Here is the debug information...

 

  Starting - reading configuration files ...


  Using deprecated naslist file.  Support for this will go away soon.


  Module: Loaded expr


  Module: Instantiated expr (expr)


  Module: Loaded Pam


  Module: Instantiated pam (pam)


  Module: Loaded PAP


  Module: Instantiated pap (pap)


  Module: Loaded CHAP


  Module: Instantiated chap (chap)


  Module: Loaded MS-CHAP


  Module: Instantiated mschap (mschap)


  Module: Loaded System


  Module: Instantiated unix (unix)


  Module: Loaded LDAP


  rlm_ldap: Registering ldap_groupcmp for Ldap-Group


  rlm_ldap: Registering ldap_xlat with xlat_name ldap


  rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap


  rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$


  rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$


  rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type


  rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use


  rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id


  rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id


  rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password


  rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password


  rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT


  rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration


  rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type


  rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol


  rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address


  rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask


  rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route


  rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing


  rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id


  rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU


  rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression


  rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host


  rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service


  rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port


  rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number


  rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id


  rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network


  rlm_ldap: LDAP radiusClass mapped to RADIUS Class


  rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout


  rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout


  rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action


  rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service


  rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node


  rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group


  rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link


  rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network


  rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone


  rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit


  rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port


  conns: 0x80aa600


  Module: Instantiated ldap (ldap)


  Module: Loaded eap


  rlm_eap: Loaded and initialized type md5


  rlm_eap: Loaded and initialized type leap


  rlm_eap: Loaded and initialized type gtc


  rlm_eap: Loaded and initialized type tls


  rlm_eap: Loaded and initialized type peap


  rlm_eap: Loaded and initialized type mschapv2


  Module: Instantiated eap (eap)


  Module: Loaded preprocess


  Module: Instantiated preprocess (preprocess)


  Module: Loaded realm


  Module: Instantiated realm (suffix)


  Module: Loaded files


  Module: Instantiated files (files)


  Module: Loaded Counter


  Module: Instantiated counter (daily)


  Module: Loaded Acct-Unique-Session-Id


  Module: Insta

Re: FreeRadius + LDAP

[Andreas Haumer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi!

Christopher Price wrote:
> I am running freeradius 1.0.0 and I am attempting to configure an LDAP
> backend DB to authenticate Windows users. The Windows users are using
> PEAP with MSCHAPv2. Earlier I got the LDAP authentication working with
> clear passwords, but now that the passwords are being hashed. I know
> that LDAP stores cleartext passwords, but their must be some way to make
> this work. Any help would be appreciated.
>

I have similar requirements and I have a working setup for
that. I have to admit that it took me several days to figure
out a working configuration. I found some documentation and
lots of websites and mail-archives, but for the most part they
seem either outdated, they contradict each other or they
talk about different things... :-(

So here's my current knowledge about MSCHAPv2+PPTP+RADIUS+LDAP
I hope it is helpful...

1.) We have a Linux NAS running the poptop pptp daemon (v1.1.3)
and ppp 2.4.2 with support for mppe and mschapv2. There is
also the ppp radius plugin installed.
The relevant configuration entries for PPP are in file
/etc/ppp/options.pptp and look like this:

refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe
plugin radius.so

   The PPP radius plugin is configured in file
   /etc/radiusclient/radiusclient.conf to use the internal
   AAA server (attributes "authserver", "actserver",
   etc. - this should be quite straighforward

2.) The internal AAA server is running freeradius-1.0.0
and openldap-2.2.17 under linux. This is the hairy part!

2.1) First, the OpenLDAP server is set up to act as a central
 database for all user authorization and accounting in the
 whole network. It hosts the whole stuff for POSIX accounts,
 samba Accounts, Mailserver and so on. All linux clients and
 services are using this system either via PAM (like openssh),
 PAM via saslauthd (like cyrus imapd) or directly (like samba).

 IMHO it is most important to have this working first. You
 have to have some way to store your sambe NT and LM passwords
 in your LDAP tree! I use samba 3.x so I have the new samba LDAP
 schema loaded into openldap (this is important to know, because
 attribute names have changed!)
 We have also some Web-GUI installed to be able to modify the LDAP
 database in some easy way (we use phpldapadmin)

2.2) The FreeRADIUS server ist set up to support MSCHAPv2 authentication.
 This is not trivial and requires some fiddling.

2.2.1) I changed ldap.attrmap to support the new samba LDAP schema:

checkItem   LM-Password sambaLmPassword
checkItem   NT-Password sambaNtPassword

2.2.2) in radiusd.conf I have the mschap and ldap modules
   configured as follows:

mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}

ldap {
server = "ldap.example.com"
identity = "cn=admin,ou=accounts,dc=example,dc=com"
password = mysecretpwd
basedn = "ou=accounts,dc=example,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"

start_tls = no

dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_cache_timeout = 120
ldap_cache_size = 0
ldap_connections_number = 10

password_attribute = sambaNTPassword

timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}

2.2.3) in radiusd.conf I have the authorized and authenticate
   sections configured as follows:

authorize {
preprocess
auth_log
suffix
files
ldap
mschap
}


authenticate {
mschap
}

IMHO there are two important parts here:
a) in the authorize section I have the "ldap" module and the "mschap"
   module following immediately

b) in the "authenticate" section there is only the "mschap" module listed.

With this setup, a successful PPTP VPN login from a Windows 2000 client
looks as follows (from the freeradius point of view):

[...]
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host nnn.nnn.nnn.3:32770, id=118, length=131
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "max"
MS-CHAP-Challenge = 0xde65622e5ee33d76564050f066c5ed08
MS-CHAP2-Response = 
0x42007abfccafd6a8ad3f81ac09c888027cf67ddcd3d388abc667d87b8920cc9d6e2c6f70ef5396e35841
NAS-IP-Address = nnn.nnn.nnn.3
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[autho

Re: FreeRadius + LDAP

[Alan DeKok]

"Christopher Price" <[EMAIL PROTECTED]> wrote:
> Here is the debug information... 

  No, it isn't.

  You have very carefully edited out significant portions of the debug
log.  I don't see why.

> EAP-Message = 0x0201000b01637072696365 
...
> rlm_ldap: Attribute User-Password is required for authentication. 

  You have set "Auth-Type := LDAP".  Don't do that.

  I don't see why it's so difficult to get the server to work.  Just
configure a clear-text password for a user, configure the various
modules, and it will work.  Many of the problems people run into are
problems like this one: they've done a lot of work to ensure the
server is broken, and then wonder why it doesn't work.

  Change as little as possible in the server to get it to work.  If
you don't understand what it's doing or why, then don't change it.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Alan DeKok]

Andreas Haumer <[EMAIL PROTECTED]> wrote:
> 2.2) The FreeRADIUS server ist set up to support MSCHAPv2 authentication.
>  This is not trivial and requires some fiddling.

  Absolutely not.  If you configure a user && clear-text password,
then MSCHAPv2 authentication will work the first time you try it in
the default configuration.

> 2.2.3) in radiusd.conf I have the authorized and authenticate
>sections configured as follows:

  Please, please, edit those sections AS LITTLE AS POSSIBLE.

  The more edits people make to those sections, the more likely they
are to break the server.  The intent is that in order to use various
modules, they should be simple uncommented.

> IMHO there are two important parts here:
> a) in the authorize section I have the "ldap" module and the "mschap"
>module following immediately

  They are in the reverse order in the the default "radiusd.conf".
Switching the order makes it more difficult for the server to figure
out what to do.

> b) in the "authenticate" section there is only the "mschap" module listed.

  This means PAP, CHAP, and EAP won't work.

> As far as I can tell this works quite fine. If anyone wants to
> comment this setup or has some tips and improvements I would
> be happy to hear. Perhaps we can collect all the information and
> write an up-to-date HOWTO for this kind of application.

  A "howto" is: CHANGE AS LITTLE AS POSSIBLE IN THE DEFAULT CONFIGURATION.

  The default configuration was created by people with years of
experience using FreeRADIUS, who understand the internals very well
(often having programmed them.)  If you think you can do a better job,
you should ensure that you understand exactly what you're doing.

> 
> 1.) Most important: I still do not really understand all the
> configuration details of freeradius. There are still lots
> of mystic configuration attributes and I don't know if I
> need all of them or not. This makes me nervous

  I don't see what's "mystic".  The configuration files contain a lot
of comments describing what the configuration attributes are, and what
they do.

> 2.) I want to have the VPN users in several different access
> groups. I currently do not know how to set up this in a
> elegant way.

  "man rlm_passwd"

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Andreas Haumer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi!

Alan DeKok wrote:
> Andreas Haumer <[EMAIL PROTECTED]> wrote:
>
>>2.2) The FreeRADIUS server ist set up to support MSCHAPv2 authentication.
>> This is not trivial and requires some fiddling.
>
>
>   Absolutely not.  If you configure a user && clear-text password,
> then MSCHAPv2 authentication will work the first time you try it in
> the default configuration.
>
But clear-text passwords are in many situations a no-no
and usually you already have the sambav3 schema which gives you
the windows password hashes which will work with mschapv2 authentication

>
>>2.2.3) in radiusd.conf I have the authorized and authenticate
>>   sections configured as follows:
>
>
>   Please, please, edit those sections AS LITTLE AS POSSIBLE.
>
I have used the documentation from the freeradius package.
Look at ldap_howto.txt to see how it is edited.

>   The more edits people make to those sections, the more likely they
> are to break the server.  The intent is that in order to use various
> modules, they should be simple uncommented.
>
Hm.
You can put it another way: a huge configuration file with lots
of lines, some of them commented out, can be quite confusing for
the reader. But YMMV of course...

>
>>IMHO there are two important parts here:
>>a) in the authorize section I have the "ldap" module and the "mschap"
>>   module following immediately
>
>
>   They are in the reverse order in the the default "radiusd.conf".
> Switching the order makes it more difficult for the server to figure
> out what to do.
>
>
>>b) in the "authenticate" section there is only the "mschap" module listed.
>
>
>   This means PAP, CHAP, and EAP won't work.
>
>
>>As far as I can tell this works quite fine. If anyone wants to
>>comment this setup or has some tips and improvements I would
>>be happy to hear. Perhaps we can collect all the information and
>>write an up-to-date HOWTO for this kind of application.
>
>
>   A "howto" is: CHANGE AS LITTLE AS POSSIBLE IN THE DEFAULT CONFIGURATION.
>
>   The default configuration was created by people with years of
> experience using FreeRADIUS, who understand the internals very well
> (often having programmed them.)  If you think you can do a better job,
> you should ensure that you understand exactly what you're doing.
>
I of course don't think I can do a better job than you, I
never wanted to make such a statement. But there is documentation
in the freeradius package which also gives examples of big changes
to the config files.

For me it's easier to understand a small, single purpose
configuration file (which has only the settings necessary for
that purpose) than a big one where you have to find the relevant
information between lots of irrelevant comments.

- - andreas

- --
Andreas Haumer | mailto:[EMAIL PROTECTED]
*x Software + Systeme  | http://www.xss.co.at/
Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0
A-1100 Vienna, Austria | Fax: +43-1-6060114-71
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBYrYpxJmyeGcXPhERAvN0AJ9XrOGxqAUrunRJFCQEk/b3izjDqwCfaNYD
w+merCVfrNHCsSbRUkWDFwo=
=2cP9
-END PGP SIGNATURE-


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Christopher Price]

  
  
 

  I tried starting from scratch with the default configuration files. Just for giggles I put a dummy user in the users file and commented out any reference to ldap in the authorize and authentication sections of radiusd.conf. The 802.1X worked fine in this manner. Now that I am back to almost the default state, what additional parameters are required to make the LDAP piece work?

 
  

Re: FreeRadius + LDAP

[Alan DeKok]

Andreas Haumer <[EMAIL PROTECTED]> wrote:
> But clear-text passwords are in many situations a no-no

  Too bad.

  Debugging a system is very different than running a live system.

  For debugging purposes, the FIRST THING anyone should do is to
configure a test user && a clear-text password for that user.  Doing
anything else is not only wasting your time as admin, it's wasting
everyone elses time when you eventually get stuck, and ask questions
on the list.

  Debugging means "stick your fingers in your ears, close your eyes,
and repeat 100 times 'I MUST USE CLEAR-TEXT PASSWORDS' ".

  Once the system works for the test user, THEN try real users.  If
it's not done in that order, you will NEVER be able to track down
what's going wrong, and why.

> You can put it another way: a huge configuration file with lots
> of lines, some of them commented out, can be quite confusing for
> the reader. But YMMV of course...

  Too bad.

  If someone is not willing to read the comments in "radiusd.conf"
which explain how to configure the server, then they end up being rude
by asking obvious questions on the list.  The documentation exists,
people should read it.  If they're not going to read it, they're going
to be told to RTFM on the list.

  And most text editors have a "find" function.  If you're trying to
configure ldap, load "radiusd.conf", and keep looking for "ldap".
That will let you skip 99% of the stuff in "radiusd.conf" which has
nothing to do with what you're trying to configure.

  It's that easy.

> For me it's easier to understand a small, single purpose
> configuration file (which has only the settings necessary for
> that purpose) than a big one where you have to find the relevant
> information between lots of irrelevant comments.

  ... irrelevant for you, but relevant for everyone else.

  We simply can't configure the server to "do the right thing" for
everyone's network.  It's impossible.  Instead, we make the server "do
the right thing" for the most general cases, and include documentation
telling people how to edit it for their network.

  Having a "small, single purpose" configuration file is a guaranteed
way to have 100x the questions on this list.  Trust me, having been on
this list for 5 years, less documentation means more questions.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Alan DeKok]

"Christopher Price" <[EMAIL PROTECTED]> wrote:
> I tried starting from scratch with the default configuration files. Just
> for giggles I put a dummy user in the users file and commented out any
> reference to ldap in the authorize and authentication sections of
> radiusd.conf. The 802.1X worked fine in this manner.

  Yup.

> Now that I am back to almost the default state, what additional
> parameters are required to make the LDAP piece work?

  Configure the ldap{} subsection in modules{}.

  Uncomment ldap in authorize{}

  Delete the dummy user from the "users" file.

  Use "radtest" to do PAP authentication for a dummy user in the LDAP
database.

  Use something else to do MS-CHAP authentication for a dummy user in
the LDAP database.  For testing, you may want to put a clear-text
password in LDAP.

  If you don't want to permanently have clear-text passwords in LDAP,
try adding an 'ntPassword' or 'sambaNtPassword' to LDAP for the dummy
user, and deleting the clear-text password from LDAP.

  Try PAP && MS-CHAP again.

  If MS-CHAP works, then PEAP should work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Stefan . Neis]

Hi,

> But clear-text passwords are in many situations a no-no
> and usually you already have the sambav3 schema which
> gives you
> the windows password hashes which will work with mschapv2
> authentication

The whole security of RADIUS (and any similar product) is based
on clear-text passwords (no matter if they are called client secrets
or pre-shared keys or something else), so if that's a no-no for you,
you just can't centralize user management. OTOH, if you can
accept that those "network root passwords" are stored in clear-text
form, what's the problem with storing mere user passwords in
clear-text as well?

  Regards,
 Stefan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius + LDAP

[Christopher Price]

Doubt - Freeradius + Ldap

[eduardo moreira]

Hello list,

Im new with freeradius, but read many about this and dont solve my problem.
I have this problem with my implemention.

Only appears this message with freeradius -X -x
Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/tls because we
do not have OpenSSL support.
Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/ttls because we
do not have OpenSSL support.
Mon Nov  1 15:04:23 2010 : Debug: rlm_eap: Ignoring EAP-Type/peap because we
do not have OpenSSL support.

Remaind: i using debian 5.0

And when try to connect, appears this message:

Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS
attribute Group == "eduardo"
Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: user eduardo authorized to use
remote access
Mon Nov  1 15:06:10 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from ldap
(rlm_ldap) for request 0
Mon Nov  1 15:06:10 2010 : Debug: ++[ldap] returns ok
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 0
Mon Nov  1 15:06:10 2010 : Debug:   rlm_eap: No EAP-Message, not doing EAP
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from eap
(rlm_eap) for request 0
Mon Nov  1 15:06:10 2010 : Debug: ++[eap] returns noop
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 0
Mon Nov  1 15:06:10 2010 : Debug:   modsingle[authorize]: returned from chap
(rlm_chap) for request 0
Mon Nov  1 15:06:10 2010 : Debug: ++[chap] returns noop
Mon Nov  1 15:06:10 2010 : Debug:
!!!
Mon Nov  1 15:06:10 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password. !!!
Mon Nov  1 15:06:10 2010 : Debug:
!!!
Mon Nov  1 15:06:10 2010 : Debug: !!! Please update your configuration so
that the "known good"   !!!
Mon Nov  1 15:06:10 2010 : Debug: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Mon Nov  1 15:06:10 2010 : Debug:
!!!
Mon Nov  1 15:06:10 2010 : Debug: auth: type Local
Mon Nov  1 15:06:10 2010 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Mon Nov  1 15:06:10 2010 : Debug: auth: Failed to validate the user.
Mon Nov  1 15:06:10 2010 : Auth: Login incorrect:
[eduardo/1\320\026\305\020B)\323I\211�?\001\nx\204] (from client
BrasilTelecom port 1812)
Mon Nov  1 15:06:10 2010 : Debug:   WARNING: Unprintable characters in the
password.Double-check the shared secret on the server and the NAS!
Mon Nov  1 15:06:10 2010 : Debug: Delaying reject of request 0 for 1 seconds

I try to reinstall but no sucess.

I need help for advanced.

If anyone have this solution or whatever, please help me.

And sorry for my bad english.

Regards,
Eduardo
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + LDAP auth

[Old Eduardo]

Sorry list,

but i try to configure this in few weeks and no get sucess.
Realy need help for list.

im try to all sites in google, but no get sucess.

i try this:
http://blog.yufeng.net/index.php/2010/07/debian-poptop-freeradius-openldap/
http://wiki.freeradius.org/Rlm_ldap
http://mhoran.wordpress.com/2007/11/25/freeradius-on-freebsd-and-openldap/

my debug only appears:

rad_recv: Access-Request packet from host 10.12.60.32 port 35717, id=31,
length=64
 User-Name = "ipe-dp"
 User-Password = "7\271D\250yhG'E\361\t{\237\366S\347"
 NAS-IP-Address = 127.0.1.1
 NAS-Port = 1812
 Framed-Protocol = PPP
Tue Nov 23 07:37:24 2010 : Debug: +- entering group authorize
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: calling preprocess
(rlm_preprocess) for request 0
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Tue Nov 23 07:37:24 2010 : Debug: ++[preprocess] returns ok
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: calling ldap
(rlm_ldap) for request 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: - authorize
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: performing user authorization
for ipe-dp
Tue Nov 23 07:37:24 2010 : Debug:  expand: (uid=%u) -> (uid=ipe-dp)
Tue Nov 23 07:37:24 2010 : Debug:  expand:
dc=policiacivil,dc=rs,dc=gov,dc=br -> dc=policiacivil,dc=rs,dc=gov,dc=br
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: attempting LDAP reconnection
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: (re)connect to ldap.intra
proxy.intra localhost:389, authentication 0
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: bind as
uid=vpnpptp,ou=sistemas,dc=policiacivil,dc=rs,dc=gov,dc=br/dfjk129!@ to
ldap.intra proxy.intra localhost:389
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: waiting for bind result ...
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: Bind was successful
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: performing search in
dc=policiacivil,dc=rs,dc=gov,dc=br, with filter (uid=ipe-dp)
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: Added User-Password =
{SSHA}dd3MzvDRyDeyeuDkPTy391H3FX2vynZl in check items
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: No default NMAS login sequence
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: looking for check items in
directory...
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute sambaNTPassword
as RADIUS attribute NT-Password ==
0x3244413944423342333039463632333434374232384536393635374142333642
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute sambaLMPassword
as RADIUS attribute LM-Password ==
0x3845433036323546444141393630353041414433423433354235313430344545
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: LDAP attribute cn as RADIUS
attribute Group == "ipe-dp"
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: looking for reply items in
directory...
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: user ipe-dp authorized to use
remote access
Tue Nov 23 07:37:24 2010 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Tue Nov 23 07:37:24 2010 : Debug:   modsingle[authorize]: returned from ldap
(rlm_ldap) for request 0
Tue Nov 23 07:37:24 2010 : Debug: ++[ldap] returns ok
Tue Nov 23 07:37:24 2010 : Debug:
!!!
Tue Nov 23 07:37:24 2010 : Debug: !!!Replacing User-Password in config
items with Cleartext-Password. !!!
Tue Nov 23 07:37:24 2010 : Debug:
!!!
Tue Nov 23 07:37:24 2010 : Debug: !!! Please update your configuration so
that the "known good"   !!!
Tue Nov 23 07:37:24 2010 : Debug: !!! clear text password is in
Cleartext-Password, and not in User-Password. !!!
Tue Nov 23 07:37:24 2010 : Debug:
!!!
Tue Nov 23 07:37:24 2010 : Debug: auth: type Local
Tue Nov 23 07:37:24 2010 : Debug: auth: user supplied User-Password does NOT
match local User-Password
Tue Nov 23 07:37:24 2010 : Debug: auth: Failed to validate the user.
Tue Nov 23 07:37:24 2010 : Auth: Login incorrect:
[ipe-dp/7\271D\250yhG'E\361\t{\237\366S\347] (from client BrasilTelecom port
1812)
Tue Nov 23 07:37:24 2010 : Debug:   WARNING: Unprintable characters in the
password.Double-check the shared secret on the server and the NAS!
Tue Nov 23 07:37:24 2010 : Debug: Delaying reject of request 0 for 1 seconds
Tue Nov 23 07:37:24 2010 : Debug: Going to the next request
Tue Nov 23 07:37:24 2010 : Debug: Waking up in 0.9 seconds.
Tue Nov 23 07:37:25 2010 : Debug: Sending delayed reject for request 0
Sending Access-Reject of id 31 to 10.12.60.32 port 35717
Tue Nov 23 07:37:25 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 10.12.60.32 port 1812, id=31,
length=20
rad_verify: Received Access-Reject packet from client 10.12.60.32 port 1812
with invalid

Re: freeradius + ldap

[Josip Rodin]

On Wed, Dec 01, 2010 at 12:48:14PM +0100, Ana Gallardo wrote:
> My problem is: the ldap server don't have public key that an admin user
> (who bind) can take. So I have to bind in the authorize section with the
> user and password (clear text) in the request.

> authenticate {
>   Auth-Type PAP {
> pap
>   }
> }

Add LDAP into the authenticate section, so that it simply tries to re-bind
with the provided credentials? Like this:

Auth-Type LDAP {
ldapPerson
}

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Ana Gallardo]

Josip, thanks for your response.


Add LDAP into the authenticate section, so that it simply tries to re-bind
> with the provided credentials? Like this:
>
>Auth-Type LDAP {
>ldapPerson
>}
>

I try this configuration too, but it doesn't work for me. Freeradius doesn't
set the value to Auth-Type attribute. I thik that this is because the
userPassword attribute is only visible to each particular user when binds.

rad_recv: Access-Request packet from host X.X.X.X port 49621, id=130,
length=58
User-Name = "aigalla...@unex.es"
User-Password = ""
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm "unex.es" for User-Name = "aigalla...@unex.es"
[suffix] Found realm "unex.es"
[suffix] Adding Stripped-User-Name = "aigallardo"
[suffix] Adding Realm = "unex.es"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} -> aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to ldap.unex.es:389, authentication 0
  [ldapPerson] bind as / to ldap.unex.es:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez,Dpto.
Tecno. Computadores y Comuni.,,"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
} # server test


Thank you very much and sorry for my english.



++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Josip Rodin]

On Thu, Dec 02, 2010 at 09:09:51AM +0100, Ana Gallardo wrote:
> > Add LDAP into the authenticate section, so that it simply tries to re-bind
> > with the provided credentials? Like this:
> >
> >Auth-Type LDAP {
> >ldapPerson
> >}
> >
> 
> I try this configuration too, but it doesn't work for me. Freeradius doesn't
> set the value to Auth-Type attribute. I thik that this is because the
> userPassword attribute is only visible to each particular user when binds.

This is an orthogonal issue; you don't have to allow anyone to read the
value of the userPassword attribute, you just have to get the FR ldap
module to *bind* to the LDAP server with the username and password from
the request. Then the LDAP server verifies it against whatever it needs
in the background, and you don't care.

> # Executing section authorize from file /etc/freeradius/sites-enabled/test
> +- entering group authorize {...}
>   [ldapPerson] bind as / to ldap.unex.es:389
>   [ldapPerson] waiting for bind result ...
>   [ldapPerson] Bind was successful

This is log output for an anonymous bind in authorize section ("bind as /
to" means "bind as /"). What is the output for the
authenticated bind, that happens in the authenticate section?

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Ana Gallardo]

Hello again. Ok, now I can authenticate an user using LDAP.

I'm using freeradius 2.1.10 and I want to use ldap like a backend in
> authorize section to take userPassword attribute (unix crypt) to
> authenticate the user.
>
My problem is: the ldap server don't have public key that an admin user (who
> bind) can take. So I have to bind in the authorize section with the user and
> password (clear text) in the request.
>
Is this posible?
>

I have read that this is not ok

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html


> What are my posibilities?
>

I think that what I can do is:
- in authorize section bind like anonymous user and take the public
attributes that I need to authorize the user.
- in authenticate section bind like the user who want to access

The configuration that work:


LDAP MODULE

ldap ldapPerson{
   server = "xxx"
   basedn = "ou=people,dc=unex,dc=es"
   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1
   tls {
  start_tls = no
   }
   dictionary_mapping = ${confdir}/ldapPerson.attrmap
   edir_account_policy_check = no
   set_auth_type = yes
}

SERVER

server test{

authorize {
  suffix
  files
  ldapPerson
  expiration
  update control {
 Auth-Type := "LDAP"
  }
}

authenticate {
  Auth-Type LDAP {
ldapPerson
  }
}

}

DEBUG


rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145,
length=58
User-Name = "aigalla...@unex.es"
User-Password = ""
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm "unex.es" for User-Name = "aigalla...@unex.es"
[suffix] Found realm "unex.es"
[suffix] Adding Stripped-User-Name = "aigallardo"
[suffix] Adding Realm = "unex.es"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson] expand: %{Stripped-User-Name} -> aigallardo
[ldapPerson] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=aigallardo)
[ldapPerson] expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to x.x.x.x:389, authentication 0
  [ldapPerson] bind as / to x.x.x.x:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez..."
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
++[control] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/test
+- entering group LDAP {...}
[ldapPerson] login attempt by "aigallardo" with password ""
[ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es
  [ldapPerson] (re)connect to x.x.x.x:389, authentication 1
  [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/x to
x.x.x.x:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
[ldapPerson] user aigallardo authenticated succesfully
++[ldapPerson] returns ok
} # server test
Sending Access-Accept of id 145 to x.x.x.x port 48259
Nombre-Completo = "Ana-Isabel Gallardo Gomez..."


I don't know if this is the best way to solve my problem, I someone have
something better, I would like to know.

Thank you very much and sorry for my english.



++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Ana Gallardo]

Hello Josip and thank you again for your response.

This is an orthogonal issue; you don't have to allow anyone to read the
> value of the userPassword attribute, you just have to get the FR ldap
> module to *bind* to the LDAP server with the username and password from
> the request.


Ok, now I know.

This is log output for an anonymous bind in authorize section ("bind as /
> to" means "bind as /"). What is the output for the
> authenticated bind, that happens in the authenticate section?
>

There is no authenticated bind because Freeradius doesn't set Auth-Type
and...

ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user

Thanks

++ Ana Gallardo Gómez ++
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Josip Rodin]

On Thu, Dec 02, 2010 at 02:37:43PM +0100, Ana Gallardo wrote:
> I have read that this is not ok
> 
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html

OK, and you're not doing that which is described above, so you're fine.

> The configuration that work:
> 
> ldap ldapPerson{
>set_auth_type = yes
> }

I think this is the catch. I don't have this particular option in my config,
but I see now that it looks like they're all 2.1.8.

> authorize {
>   ldapPerson
>   update control {
>  Auth-Type := "LDAP"
>   }
> }

This seems redundant. If ldapPerson already ran, with the set_auth_type
option, ...

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Josip Rodin]

On Thu, Dec 02, 2010 at 03:48:34PM +0100, Josip Rodin wrote:
> > The configuration that work:
> > 
> > ldap ldapPerson{
> >set_auth_type = yes
> > }
> 
> I think this is the catch. I don't have this particular option in my config,
> but I see now that it looks like they're all 2.1.8.

I re-checked the documentation and I see now that it had nothing to do
with versions, but a simple fact that the LDAP module defers to
any other Auth-Type - and you had a PAP handler there.

-- 
 2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap

[joao...@gmail.com]

Maicon,

como vi o Pereira no seu nome, deduzo que você seja do Brasil, portanto irei
responder sua pergunta em português.

1º Sim o freeradius se integra perfeitamente com o LDAP>

2º Que base LDAP vc esta utilizando? OpenLDAP, Active Directory???

3° Como esta a configuração de seu arquivo ldap? isso é onde você define a
árvore de pesquisa do LDAP.

4º A partir de onde você esta tentando se autenticar?? Windows, linux, mac,
(ou esta testando com os utilitários radtest e epol_test).

5º para ajudar poste aqui a saída de debug do seu freeradius (basta executar
o freeradius com o comando  "freeradius -X")

Com essas informações acredito que posso te ajudar.


Abraços.

Att.

Em 21 de março de 2011 18:04, Usuário do Sistema escreveu:

> Hello everyone, I'm dificult with freeradius and LDAP.
>
> the user autheticate only it's work when I put in the user file
> User-Password clear text as follow.
>
> "maicon.pereira"Cleartext-Password := "meleca"
> Reply-Message = "Hello, %{User-Name}"
> however, my integration between Freeradius and Ldap it isn't working.
>
> My question is: there is possible to make the intragation?? because I've
> read that freeradius needs supply to ldap User-Password clear text.
>
> it's true ??
>
> I wish to use the ldap as database authetication.
>
>
> thank!
>
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
João Paulo de Lima Barbosa
Fone: (45) 9938-8399
Blog: http://joao.us
Twitter: @joaocdc

"O erro dos que tem poder é colocar barreiras para que ninguém os alcance,
incentivando-nos a buscar todas as formas que encontramos para alcança-los."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap

[Sven Hartge]

Usuário do Sistema  wrote:

> Hello everyone, I'm dificult with freeradius and LDAP.

> the user autheticate only it's work when I put in the user file
> User-Password clear text as follow.

> "maicon.pereira"Cleartext-Password := "meleca"
>Reply-Message = "Hello, %{User-Name}"
> however, my integration between Freeradius and Ldap it isn't working.

> My question is: there is possible to make the intragation?? because
> I've read that freeradius needs supply to ldap User-Password clear
> text.

> it's true ??

That depends. If you want to use _any_ Challenge-Handshake auth method
like MSCHAPv2 for wireless LAN you need to supply a cleartext password.

If you only want to use PAP, you can keep using ldap_bind() and an
encrypted/hashed password.

>[-- text/html, encoding quoted-printable, charset: ISO-8859-1, 30 lines --]

Ugh.

Grüße,
Sven.

-- 
Sig lost. Core dumped.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap

[Usuário do Sistema]

Hello everyone,


after a long time my freeradius it's working with Ldap.

The problem it was because I hasn't Installed the Samba.

my aim is to use the freeradius to authencticate my wireless users with
EAP-TLS. As I'm using the MSCHAP it's necessary the attributes
SambaNTPassword and SambaLMPassword then it's need install Samba and Ldap.

I'm using the freeradius version 2.1.7 on the Red-Hat Enterprise 5.6


Thank Joaocdc!!














2011/3/21 Sven Hartge 

> Usuário do Sistema  wrote:
>
> > Hello everyone, I'm dificult with freeradius and LDAP.
>
> > the user autheticate only it's work when I put in the user file
> > User-Password clear text as follow.
>
> > "maicon.pereira"Cleartext-Password := "meleca"
> >Reply-Message = "Hello, %{User-Name}"
> > however, my integration between Freeradius and Ldap it isn't working.
>
> > My question is: there is possible to make the intragation?? because
> > I've read that freeradius needs supply to ldap User-Password clear
> > text.
>
> > it's true ??
>
> That depends. If you want to use _any_ Challenge-Handshake auth method
> like MSCHAPv2 for wireless LAN you need to supply a cleartext password.
>
> If you only want to use PAP, you can keep using ldap_bind() and an
> encrypted/hashed password.
>
> >[-- text/html, encoding quoted-printable, charset: ISO-8859-1, 30
> lines --]
>
> Ugh.
>
> Grüße,
> Sven.
>
> --
> Sig lost. Core dumped.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + ldap

[Phil Mayers]

ludovic cailleau wrote:

Good morning,
 
I send this email because I don't found my error about freeradius + ldap.

I thinhk, I have an error of the userPassword at the request 7.


Please don't send mails directly to me. I'm not a personal helpline. The 
mailing list is the appropriate place.


Looking below, you see:

> rlm_ldap: user VoisinC authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type System
> auth: type "System"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> modcall[authenticate]: module "unix" returns notfound for request 0
> modcall: group authenticate returns notfound for request 0
> auth: Failed to validate the user.

Something is setting Auth-Type to System. It's probably this, higher up:

> users: Matched entry DEFAULT at line 152
> modcall[authorize]: module "files" returns ok for request 0

Fix your config and it will work.

 
You can see the output of  radiusd -X :
 
Can you help me?

Thanks a lot
 
Starting - reading configuration files ...

reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "10.49.0.101"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=adminlp,o=crt"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "azerty"
ldap: basedn = "o=crt"
ldap: filter = 
"(&(objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"

ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_x

Re: freeradius + ldap

[Alan DeKok]

ludovic cailleau <[EMAIL PROTECTED]> wrote:
>   I have made a configuration but it does not run.

  Read the FAQ for comments like "it doesn't work".

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Alan DeKok]

ludovic cailleau <[EMAIL PROTECTED]> wrote:
> Yes I have read the FAQ. But I haven't find my error.
>
>   When I make "radiusd -X" I have this log (log.radiusd)

  Which contains the problem:

> rlm_eap: processing type mschapv2
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 7
> WARNING! Asked to process empty group. Returning reject.

  You edited the configuration of the server to break it.  Don't do
that.

  The default configuration works.  Use it.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[ludovic cailleau]

Sorry, but I don't understand. Can you explain me.     ThanksAlan DeKok <[EMAIL PROTECTED]> a écrit :  ludovic cailleau <[EMAIL PROTECTED]>wrote:> Yes I have read the FAQ. But I haven't find my error.> > When I make "radiusd -X" I have this log (log.radiusd)Which contains the problem:> rlm_eap: processing type mschapv2> Processing the authenticate section of radiusd.conf> modcall: entering group Auth-Type for request 7> WARNING! Asked to process empty group. Returning reject.You edited the configuration of the server to break it. Don't dothat.The default configuration works. Use it.Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
		 
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Alan DeKok]

ludovic cailleau <[EMAIL PROTECTED]> wrote:
> I send radius.conf, if it can help you to answer me.

  What part of my message was unclear?  You edited radiusd.conf
without understanding what the side effects were.  As a result, the
server no longer works.

  The solution is for you to NOT edit radiusd.conf unless you
understand what will happen when you make those edits.

  Alan Dekok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[ludovic cailleau]

I understand the side effects when I edit radius.conf, because I have already make a 802.11x authentifacation for wireless.  But with users files. And this configuration works perfectly.   But now I would like use Ldap for authentification.  But it don't works.     Ludovic cailleau  Alan DeKok <[EMAIL PROTECTED]> a écrit :  ludovic cailleau <[EMAIL PROTECTED]>wrote:> I send radius.conf, if it can help you to answer me.What part of my message was unclear? You edited radiusd.confwithout understanding what the side effects were. As a result, theserver no longer works.The solution is for you to NOT edit radiusd.conf unless youunderstand what will happen when you make those edits.Alan Dekok.-
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
		 
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Alan DeKok]

ludovic cailleau <[EMAIL PROTECTED]> wrote:
> I understand the side effects when I edit radius.conf, because I
> have already make a 802.11x authentifacation for wireless.  But with
> users files. And this configuration works perfectly.

  The error message you saw happens ONLY if you edit the configuration
file, and configure the server to do *nothing* for authentication.
Since you said this isn't what you wanted, my conclusion is you didn't
understand the side effect of the "edit config to make it do nothing"
work you did.

>But now I would like use Ldap for authentification.

  LDAP doesn't do EAP, and LDAP doesn't do MS-CHAP.  You CANNOT use
LDAP for wireless authentication.  You can ONLY use the LDAP module in
the "authorize" stage.

  The problem is you are making large changes to the servers's config
without understanding what you're doing.  Instead, you should be
making the *smallest* possible changes to the server to get what you
want.

  The default config works, and has examples of where you should list
LDAP.  Follow those examples, and use the default config./

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[ludovic cailleau]

Ok, I mixed myself between the module ‘authenticate’ and ‘authorize.’ Now it is clearer!      I make the default config and change little part and now it works perfectly.      Thank you very much Alan Dekok      Ludovic Cailleau
		 
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

NoCat + FreeRadius + LDAP

[Chan Min Wai]

Greeting,

I'm trying to setup a computer with the above configuration.

Anyone know about how to pass the NoCat Attribute of (Member) back to
the NoCat Gateway?

I've got this in the radtest

Vendor-32767-Attr-1 = 0x4d656d626572
Idle-Timeout = 300
Anyone know if I'm on the right track?


This is the NoCat Dictionary files

VENDOR  NoCat   32767
BEGIN-VENDORNoCat
ATTRIBUTE   NoCat-Groups1   string  # Space
delimited list of groups
ATTRIBUTE   NoCat-Groups-Admin  2   string  # Space
delimited list of groups user is admin of
END-VENDOR NoCat



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + LDAP

[Anderson Alves de Albuquerque]

Look this:
http://www.lh.freeradius.org/radiusd/doc/ldap_howto.txt




On Wed, 23 Feb 
2005, anderson souza wrote:

>  Good morning to all!!
> > 
> > He/she would like to know some of the friends
> > he/she knows some referring documentation
> > the poptop implementation + freeradius + LDAP or even
> > same a possible "road of the stones" for
> > the configuration in the debian sarge!!!
> > 
> > at once I thank attention of all...
> > 
> > Att.
> > Anderson
> >
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + LDAP

[Lou Moore]

uffix) 
Module: Loaded files 
 files: usersfile =
"/opt/freeradius-1.0.1/etc/raddb/users"
 files: acctusersfile =
"/opt/freeradius-1.0.1/etc/raddb/acct_users"
 files: preproxy_usersfile =
"/opt/freeradius-1.0.1/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Segmentation Fault (core dumped)

--- Anderson Alves de Albuquerque
<[EMAIL PROTECTED]> wrote:

> 
> 
> 
> Look this:
>
http://www.lh.freeradius.org/radiusd/doc/ldap_howto.txt
> 
> 
> 
> 
> On Wed, 23 Feb 
> 2005, anderson souza wrote:
> 
> >  Good morning to all!!
> > > 
> > > He/she would like to know some of the friends
> > > he/she knows some referring documentation
> > > the poptop implementation + freeradius + LDAP or
> even
> > > same a possible "road of the stones" for
> > > the configuration in the debian sarge!!!
> > > 
> > > at once I thank attention of all...
> > > 
> > > Att.
> > > Anderson
> > >
> > 
> > - 
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> > 
> 
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 




__ 
Do you Yahoo!? 
Yahoo! Sports - Sign up for Fantasy Baseball. 
http://baseball.fantasysports.yahoo.com/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Ldap

[Linus van Geuns]

Cris Boisvert wrote:
> I'm setting up freeradius to talk to a Ipswitch Imail server for
> authetication.
> 
> Just needs to do the basic  User  Pass... Ok.
> 
> 
[..]
> A snippet of the config.
> ---
> ldap {
> server = "192.168.77.6"
> #identity = "cn=root,o=My Org,c=UA"
> #password = test1234
> basedn = "o=My Org,c=UA"
> #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
> 
> # set this to 'yes' to use TLS encrypted connections
> __--
> 
[..]
> Below is  a Cut form radiusd -X debug..
> 
> Anyone have any reccomendations>?
> 
> 
> 
>   modcall: group authorize returns ok for request 0
>   rad_check_password:  Found Auth-Type LDAP
> auth: type "LDAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "[EMAIL PROTECTED]" with password "test"
> radius_xlat:  '([EMAIL PROTECTED])'
> radius_xlat:  'o=My Org,c=UA'

Do you really have an object with attribute iud="[EMAIL PROTECTED]"?
I think you should split the username with delimiter '@', so you search
for uid=test,dc=pork,dc=com (or similiar).

But if you have such objects, try ldap_debug=0x between ldap { } in
your radiusd.conf.

Linus van Geuns.


signature.asc
Description: OpenPGP digital signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius/ldap documentation

[Dustin Doris]

Would like to let everyone know that I have some documentation up about
using freeradius w/ ldap auth and autz.  The URL is
http://doris.cc/radius.

Hope that may help anyone that is looking to use freeradius w/ ldap.

-Dusty Doris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius + ldap

[Alan DeKok]

Joe Hetrick <[EMAIL PROTECTED]> wrote:
> After some thought, I changed my crypt in the LDIF to something else, 
> first SSHA, and then MD5, and all of a sudden
> auth worked (with both).  Clearly I have a probem with CRYPT...

  I recall something a while ago about link ordering with crypt on
*BSD.  Something about another lbirary (maybe OpenSSL) supplying a
crypt which over-rode the BSD crypt, but didn't do the same thing.

  It sounds like the same problem to me.

> It wouldn't be a big deal, except I have many crypt'd PW's I'd intended 
> on migrating into my directory that I would like  radius to auth 
> against.

  You should be able to get it to work, but you've got to figure out a
way to get the dynamic linker on your system to use give FreeRADIUS
the *correct* version of crypt.  Maybe LD_PRELOAD will help here...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius ldap connector

[[EMAIL PROTECTED]]

Hello,
I use freeradius 1.0.1 LDAP connector to request a LDAP directory.
I notice that Freeradius tries 6 times to find a user in my LDAP directory when 
this user doesn't existe.
Is there a mean to make freeradius tries only one time ?
Thanks
Thomas- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Ldap + attributes

[Ivan Kalik]

Yes. Add the reply attributes to ldap.attrmap.

Ivan Kalik
Kalik Informatika ISP


Dana 28/8/2008, "Ivan ." <[EMAIL PROTECTED]> piše:

>Hi
>
>I have Freeradius configured with a backend of OpenLdap for user management.
>
>I would like to be able to pass attributes for Nortel and Juniper
>gear, which when statically defining users in user file is done via:
>
>user  Auth-type:=Local, User-Password := "test"
>Juniper-Local-User-Name ="DEV",
>Service-Type = Administrative-User
>
>Is there a way to pass these attributes when using Ldap for user management?
>
>thanks
>Ivan
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Ldap + attributes

[Ivan .]

Hi

any chance you can provide the actual syntax of whats required?

replyItem  Service-Type Administrative-User
replyItem  Juniper-Local-User-Name   DEV

Sorry, a bit of a novice freeraidus user

thanks
Ivan

2008/8/29 Ivan Kalik <[EMAIL PROTECTED]>:
> Yes. Add the reply attributes to ldap.attrmap.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 28/8/2008, "Ivan ." <[EMAIL PROTECTED]> piše:
>
>>Hi
>>
>>I have Freeradius configured with a backend of OpenLdap for user management.
>>
>>I would like to be able to pass attributes for Nortel and Juniper
>>gear, which when statically defining users in user file is done via:
>>
>>user  Auth-type:=Local, User-Password := "test"
>>Juniper-Local-User-Name ="DEV",
>>Service-Type = Administrative-User
>>
>>Is there a way to pass these attributes when using Ldap for user management?
>>
>>thanks
>>Ivan
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Ldap + attributes

[Ivan Kalik]

>any chance you can provide the actual syntax of whats required?

Syntax is the same as for other entries:

replyItem radiusAttribute ldapAttribute

so something like:

replyItem Service-Type radiusServiceType
replyItem Juniper-Local-User-Name juniperLocalName

>replyItem  Service-Type Administrative-User
>replyItem  Juniper-Local-User-Name   DEV
>

This is wrong. Values should be placed into ldap attribute fields in user
profile. You will need to add those new attributes to ldap schema as
well.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius LDAP problem

[Alan DeKok]

George Beitis wrote:
> I have a problem.  I set up freeradius to use a local ldap server to
> authenticate a user.  When i say authenticate i mean check if the user
> is there, check their password, and accept or reject them.  When i do
> such an authentication i get a message from freeradius saying that user
> is authorised successfully but when it goes to the authentication
> section it uses a unix module, fails and rejects the user.  I tried
> commenting in the post auth ldap section, and commented it out again but
> nothing.  Does the authorized successfully part mean the user is there
> but cant compare the passwords or something?

  The documentation covers this.

  It also covers what information is needed when you ask a question on
the list.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius LDAP problem

[tnt]

>users: Matched entry DEFAULT at line 153
..
>  rad_check_password:  Found Auth-Type System
>auth: type "System"

It's picking up Auth-Type System from users file. Comment out that entry.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius LDAP problem

[Alan DeKok]

George Beitis wrote:
...
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...

  The LDAP database doesn't contain the "known good" password for the user.

> rlm_ldap: user gb85 authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
>   rad_check_password:  Found Auth-Type System
> auth: type "System"

  This is taken from the "users" file.

>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
>   modcall[authenticate]: module "unix" returns notfound for request 0

  The user isn't in /etc/passwd.

  The server can't authenticate the user if it doesn't know what the
users correct password is.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius + ldap + cisco sslvpn

[satish patel]

Dear all

  I have requirement of sslvpn authentication with freeradius + 
ldap server is there anyone have worked on freeradius + ldap or authenticate 
with goruping and other features...


$ cat ~/satish/url.txt  

http://www.linuxbug.org
_

   
-
 Why delete messages? Unlimited storage is just a click away.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius + Ldap + SSL/TLS

[RATSIMIVEH Remi]

Hi,

I install freeradius on Debian machine. I have my user in ldap
and I use that directory to authentication.But when I want
to use SSL or TLS in connections between radius and ldap, I have that error

in radius log. (Freeradius -X)

-
 [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap.corporate.com:1793, authentication 0
  [ldap] setting TLS CACert File to /etc/freradius/certs/RootCA.pem
  [ldap] setting TLS CACert Directory to /etc/freeradius/certs/
  [ldap] setting TLS Cert File to /etc/freeradius/certs/RootCA.crt
  [ldap] setting TLS Key File to /etc/freeradius/certs/SSLSubCA.pem
  [ldap] setting TLS Key File to /etc/freeradius/certs/
  [ldap] bind as uid=...,dc=...,dc=...,dc=.../pssword to
ldap.corporate.com:1793
  [ldap] waiting for bind result ...
  [ldap] ldap_result()
  [ldap] uid=...,dc=...,dc=...,dc=.../pssword to
ldap.corporate.com:1793failed: timeout
  [ldap] (re)connection attempt failed
[ldap] search failed
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
-

i have in ldap.conf :

ldap {

server = "ldap.corporate.com"
port= 1793
...
tls {
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/certs/
# certfile= /path/to/radius.crt
# keyfile= /path/to/radius.key
# randfile= /path/to/rnd
# require_cert= "demand"

 cacertfile= /etc/freradius/certs/RootCA.pem
 cacertdir= /etc/freeradius/certs/
 certfile= /etc/freeradius/certs/RootCA.crt
 keyfile= /etc/freeradius/certs/SSLSubCA.pem
 randfile= /etc/freeradius/certs/
 require_cert= "allow"

it's an another team who manage this ldap corporate.
This team request me to import the Corporate.Root.CA and Corporate.SSL.CA to
be able to SSL connections.
About them, my radius server don't used SSL connections. I don't know where
put them...
Sorry for my English, the french replies will be accepted.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius LDAP OID Numbering

[Peter Lambrechtsen]

A question for Alan, or others on the list.

There is the FR LDAP Schema LDIF file to import FreeRadius related schema
into your LDAP directory.

Searching around it seems that OID 1.3.6.1.4.1.3317.4.3.1 up to 68 is
allocated.

http://permalink.gmane.org/gmane.comp.freeradius.devel/6134

Who "owns" the OID and I could ask to get 69 registered formally?

I would like to add the LDAP Attribute "radiusFramedPool" for Framed-Pool
VSA

Should I just build a DIFF and submit it to the list, or is there an owner
of the OID numbering who I would need to contact?

Cheers

Peter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> i'm trying configure a VPN Server with PPTP, using the 'radiusclient',
> to connect on a FreeRadius, with auth in a LDAP Server.
> 
> I "finished" the configure, but when a try connect with a client Windows
> XP, don't work.
> 
> The radiusd -X output:

  The client is doing CHAP, and the LDAP database only has NT passwords
in it.  It is impossible to get this to work.

http://deployingradius.com/documents/protocols/compatibility.html

> The result of 'radtest':

  Which does PAP authentication.  The above web page shows that the
combination of PAP and NT passwords will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Alan,

how I can fix that?

Thanks in advanced,
Douglas

On Wed, Nov 26, 2008 at 4:54 PM, Alan DeKok <[EMAIL PROTECTED]>wrote:

> Douglas Macedo wrote:
> > i'm trying configure a VPN Server with PPTP, using the 'radiusclient',
> > to connect on a FreeRadius, with auth in a LDAP Server.
> >
> > I "finished" the configure, but when a try connect with a client Windows
> > XP, don't work.
> >
> > The radiusd -X output:
>
>   The client is doing CHAP, and the LDAP database only has NT passwords
> in it.  It is impossible to get this to work.
>
> http://deployingradius.com/documents/protocols/compatibility.html
>
> > The result of 'radtest':
>
>  Which does PAP authentication.  The above web page shows that the
> combination of PAP and NT passwords will work.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Douglas Macedo
[EMAIL PROTECTED]
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
ele é capaz de suportar.
(Immanuel Kant)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> how I can fix that?

  Read the web page.  It tells you.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Sorry Alan,

but the webpage tells that its don't work. Its impossible? Correct?

So, how I can fix that the other way?

My pptp-options:

==
epiderme:/etc/ppp# cat pptpd-options
name pptpd
refuse-pap
##refuse-chap
require-chap
##refuse-mschap
require-mschap
require-mschap-v2
require-mppe-128
proxyarp
nodefaultroute
debug
lock
nobsdcomp
plugin radius.so
#plugin radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf
auth
==

And my radiusd.conf:

==
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests  = no
$INCLUDE  ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
}
ldap {
server = "ldap.telemedicina.ufsc.br"
identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
password = "XXX"
basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
filter = "(&(objectClass=posixAccount)(uid=%u))"

start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_header = "{Cleartext-Password}"
password_attribute = sambaNTPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
e

Re: PPTP + FreeRadius + LDAP

[Alexandre Chapellon]

trying forcing windows pptp client to use mschapv2

Le 26.11.2008 09:15, Douglas Macedo a écrit :
> Sorry Alan,
>
> but the webpage tells that its don't work. Its impossible? Correct?
>
> So, how I can fix that the other way?
>
> My pptp-options:
>
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2
> require-mppe-128
> proxyarp
> nodefaultroute
> debug
> lock
> nobsdcomp
> plugin radius.so
> #plugin radattr.so
> radius-config-file /etc/radiusclient/radiusclient.conf
> auth
> ==
>
> And my radiusd.conf:
>
> ==
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = ${prefix}/etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions= yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests  = no
> $INCLUDE  ${confdir}/clients.conf
> snmp= no
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> }
> modules {
> pap {
> encryption_scheme = crypt
> }
> chap {
> authtype = CHAP
> }
> unix {
> cache = no
> cache_reload = 600
> radwtmp = ${logdir}/radwtmp
> }
> mschap {
> authtype = MS-CHAP
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> }
> ldap {
> server = "ldap.telemedicina.ufsc.br
> "
> identity = "cn=Manager,dc=telemedicina,dc=ufsc,dc=br"
> password = "XXX"
> basedn = "ou=Users,dc=telemedicina,dc=ufsc,dc=br"
> filter = "(&(objectClass=posixAccount)(uid=%u))"
>
> start_tls = no
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> password_header = "{Cleartext-Password}"
> password_attribute = sambaNTPassword
> timeout = 4
> timelimit = 3
> net_timeout = 1
> compare_check_items = no
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> compat = no
> }
> detail {
> detailfile =
> ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> }
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter {
> attrsfile = ${confdir}/attrs
> }
> counter daily {
> filename = ${raddbdir}/db.daily
> key = User-Name
> count-attribute = Acct-Session-Time
> reset = daily
> counter-name = Daily-Session-Time
> check-name = Max-Daily-Session
>   

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> but the webpage tells that its don't work. Its impossible? Correct?

  Since I wrote that web page... I won't disagee with it.

> So, how I can fix that the other way?

  Do you have questions about the suggestions on the web page?

> My pptp-options:
> 
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2

  Hmm... maybe some of those configuration options could help PPTP meet
the requirements listed on the web page?

  Please read the PPTP documentation for additional information.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Alexandre,

if I try mschapv2 in Windons client:

--
rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46,
length=52
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "nobody"
NAS-IP-Address = 1.1.1.1
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
users: Matched entry DEFAULT at line 198
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nobody
radius_xlat:  '(&(objectClass=posixAccount)(uid=nobody))'
radius_xlat:  'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to
ldap.telemedicina.ufsc.br:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br, with
filter (&(objectClass=posixAccount)(uid=nobody))
rlm_ldap: Password header not found in password
5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNtPassword as NT-Password, value
5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
rlm_ldap: Adding sambaLmPassword as LM-Password, value
89E0B38AC380D2B8AAD3B435B51404EE & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nobody authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: No clear-text password in the request.  Not performing PAP.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns ok) for request 1
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [nobody] (from client access-vpn port 0)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--

Any idea?

Thanks in advanced,
Douglas

On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon <
[EMAIL PROTECTED]> wrote:

>  trying forcing windows pptp client to use mschapv2
>
> Le 26.11.2008 09:15, Douglas Macedo a écrit :
>
> Sorry Alan,
>
> but the webpage tells that its don't work. Its impossible? Correct?
>
> So, how I can fix that the other way?
>
> My pptp-options:
>
> ==
> epiderme:/etc/ppp# cat pptpd-options
> name pptpd
> refuse-pap
> ##refuse-chap
> require-chap
> ##refuse-mschap
> require-mschap
> require-mschap-v2
> require-mppe-128
> proxyarp
> nodefaultroute
> debug
> lock
> nobsdcomp
> plugin radius.so
> #plugin radattr.so
> radius-config-file /etc/radiusclient/radiusclient.conf
> auth
> ==
>
> And my radiusd.conf:
>
> ==
> prefix = /usr/local
> exec_prefix = ${prefix}
> sysconfdir = ${prefix}/etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/radiusd
> log_file = ${logdir}/radius.log
> libdir = ${exec_prefix}/lib
> pidfile = ${run_dir}/radiusd.pid
> max_request_time = 30
> delete_blocked_requests = no
> cleanup_delay = 5
> max_requests = 1024
> bind_address = *
> port = 0
> hostname_lookups = no
> allow_core_dumps = no
> regular_expressions = yes
> extended_expressions= yes
> log_stripped_names = no
> log_auth = yes
> log_auth_badpass = no
> log_auth_goodpass = no
> usercollide = no
> lower_user = no
> lower_pass = no
> nospace_user = no
> nospace_pass = no
> checkrad = ${sbindir}/checkrad
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = no
> }
> proxy_requests  = no
> $INCLUDE  ${confdir}/clients.conf
> snmp= no
> thread poo

Re: PPTP + FreeRadius + LDAP

[Alexandre Chapellon]

Le 26.11.2008 09:32, Douglas Macedo a écrit :
> Alexandre,
>
> if I try mschapv2 in Windons client:
>
> --
> rad_recv: Access-Request packet from host 150.162.67.254:32839
> , id=46, length=52
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "nobody"
> NAS-IP-Address = 1.1.1.1 
> NAS-Port = 0

Did you truncated the Access-request before posting??? there is no
information about CHAP chalenge so there is no way freeradius can handle
with rlm_chap...

Additionnally your pptp config seems strange to me
You *REQUIRE* chap + mschap + mschapv2!!! Shouldn't a requirement be
uniq? I would just keep require mschapv2 (and so force win client to use it)
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched entry DEFAULT at line 198
>   modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for nobody
> radius_xlat:  '(&(objectClass=posixAccount)(uid=nobody))'
> radius_xlat:  'ou=Users,dc=telemedicina,dc=ufsc,dc=br'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.telemedicina.ufsc.br:389
> , authentication 0
> rlm_ldap: bind as cn=Manager,dc=telemedicina,dc=ufsc,dc=br/ckf45c to
> ldap.telemedicina.ufsc.br:389 
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=Users,dc=telemedicina,dc=ufsc,dc=br,
> with filter (&(objectClass=posixAccount)(uid=nobody))
> rlm_ldap: Password header not found in password
> 5A88C11C0EDC83D3DEA6AE1A0653E889 for user nobody
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding sambaNtPassword as NT-Password, value
> 5A88C11C0EDC83D3DEA6AE1A0653E889 & op=21
> rlm_ldap: Adding sambaLmPassword as LM-Password, value
> 89E0B38AC380D2B8AAD3B435B51404EE & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 0
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user nobody authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module "ldap" returns ok for request 1
>   modcall[authorize]: module "chap" returns noop for request 1
>   modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "nobody", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 1
> rlm_pap: Normalizing NT-Password from hex encoding
> rlm_pap: Normalizing LM-Password from hex encoding
> rlm_pap: No clear-text password in the request.  Not performing PAP.
>   modcall[authorize]: module "pap" returns noop for request 1
> modcall: leaving group authorize (returns ok) for request 1
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> Login incorrect: [nobody] (from client access-vpn port 0)
> Delaying request 1 for 1 seconds
> Finished request 1
> Going to the next request
> --
>
> Any idea?
>
> Thanks in advanced,
> Douglas
>
> On Wed, Nov 26, 2008 at 5:27 PM, Alexandre Chapellon
> <[EMAIL PROTECTED] > wrote:
>
> trying forcing windows pptp client to use mschapv2
>
> Le 26.11.2008 09:15, Douglas Macedo a écrit :
>> Sorry Alan,
>>
>> but the webpage tells that its don't work. Its impossible? Correct?
>>
>> So, how I can fix that the other way?
>>
>> My pptp-options:
>>
>> ==
>> epiderme:/etc/ppp# cat pptpd-options
>> name pptpd
>> refuse-pap
>> ##refuse-chap
>> require-chap
>> ##refuse-mschap
>> require-mschap
>> require-mschap-v2
>> require-mppe-128
>> proxyarp
>> nodefaultroute
>> debug
>> lock
>> nobsdcomp
>> plugin radius.so
>> #plugin radattr.so
>> radius-config-file /etc/radiusclient/radiusclient.conf
>> auth
>> ==
>>
>> And my radiusd.conf:
>>
>> ==
>> prefix = /usr/local
>> exec_prefix = ${prefix}
>> sysconfdir = ${prefix}/etc
>> localstatedir = /var
>> sbindir = ${exec_prefix}/sbin
>> logdir 

Re: PPTP + FreeRadius + LDAP

[Alan DeKok]

Douglas Macedo wrote:
> Any idea?

  Use a recent version of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[tnt]

>if I try mschapv2 in Windons client:
>
>--
>rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46,
>length=52
>Service-Type = Framed-User
>Framed-Protocol = PPP
>User-Name = "nobody"
>NAS-IP-Address = 1.1.1.1
>NAS-Port = 0

This is not an mschap request.

http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#How_do_I_make_Windows_XP_clients_use_only_PAP_.28Not_CHAP.29

In your case, leave only mschapv2. That will force Windows to use it (if
mschapv2 is not enabled on the pptp server connection will fail without
authentication).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Hey guys,

i force in WIndows Client to use only mschap2, but the problem continue:

-
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 150.162.67.254:32858, id=109,
length=53
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "douglas"
NAS-IP-Address = 1.1.1.1
NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "douglas", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [douglas] (from client access-vpn port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--

In PPTP debug show:

--
Nov 27 11:35:39 epiderme pptpd[12253]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: local address = 150.162.67.200
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: remote address = 150.162.67.201
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: pppd options file =
/etc/ppp/pptpd-options
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Client 150.162.67.54 control
connection started
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Received PPTP Control Message
(type: 1)
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Made a START CTRL CONN RPLY
packet
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: I wrote 156 bytes to the
client.
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Sent packet to client
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Received PPTP Control Message
(type: 7)
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Set parameters to 1
maxbps, 64 window size
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Made a OUT CALL RPLY packet
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Starting call (launching pppd,
opening GRE)
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: pty_fd = 6
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: tty_fd = 7
Nov 27 11:35:39 epiderme pptpd[12254]: CTRL (PPPD Launcher): program binary
= /usr/sbin/pppd
Nov 27 11:35:39 epiderme pptpd[12254]: CTRL (PPPD Launcher): local address =
150.162.67.200
Nov 27 11:35:39 epiderme pptpd[12254]: CTRL (PPPD Launcher): remote address
= 150.162.67.201
Nov 27 11:35:39 epiderme pppd[12254]: Plugin radius.so loaded.
Nov 27 11:35:39 epiderme pppd[12254]: RADIUS plugin initialized.
Nov 27 11:35:39 epiderme pppd[12254]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so
loaded.
Nov 27 11:35:39 epiderme pppd[12254]: pptpd-logwtmp: $Version$
Nov 27 11:35:39 epiderme pppd[12254]: pppd 2.4.4 started by root, uid 0
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: I wrote 32 bytes to the client.
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Sent packet to client
Nov 27 11:35:39 epiderme pppd[12254]: using channel 291
Nov 27 11:35:39 epiderme pppd[12254]: Using interface ppp0
Nov 27 11:35:39 epiderme pppd[12254]: Connect: ppp0 <--> /dev/pts/1
Nov 27 11:35:39 epiderme pppd[12254]: sent [LCP ConfReq id=0x1 ]
Nov 27 11:35:39 epiderme pptpd[12253]: GRE: Bad checksum from pppd.
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Received PPTP Control Message
(type: 15)
Nov 27 11:35:39 epiderme pptpd[12253]: CTRL: Got a SET LINK INFO packet with
standard ACCMs
Nov 27 11:35:39 epiderme pptpd[12253]: GRE: accepting packet #0
Nov 27 11:35:39 epiderme pptpd[12253]: GRE: accepting packet #1
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP ConfReq id=0x0 
   ]
Nov 27 11:35:39 epiderme pppd[12254]: sent [LCP ConfRej id=0x0 ]
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP ConfAck id=0x1 ]
Nov 27 11:35:39 epiderme pptpd[12253]: GRE: accepting packet #2
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP ConfReq id=0x1 
  ]
Nov 27 11:35:39 epiderme pppd[12254]: sent [LCP ConfAck id=0x1 
  ]
Nov 27 11:35:39 epiderme pppd[12254]: sent [LCP EchoReq id=0x0
magic=0x7ba9ed09]
Nov 27 11:35:39 epiderme pppd[12254]: sent [CHAP Challenge id=0xed
, name = "pptpd"]
Nov 27 11:35:39 epiderme pptpd[12253]: GRE: accepting packet #3
Nov 27 11:35:39 epiderme pptpd[12253]: GRE: accepting packet #4
Nov 27 11:35:39 epiderme pptpd[12253]: GRE: accepting packet #5
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP Ident id=0x2
magic=0x2f814697 "MSRASV5.10"]
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP Ident id=0x3
magic=0x2f814697 "MSRAS-0-MOLAR"]
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP Ident id=0x2
magic=0x2f814697 "MSRASV5.10"]
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP Ident id=0x3
magic=0x2f814697 "MSRAS-0-MOLAR"]
Nov 27 11:35:39 epiderme pppd[12254]: rcvd [LCP EchoRep id=0x0
magic=0

Re: PPTP + FreeRadius + LDAP

[tnt]

>i force in WIndows Client to use only mschap2, but the problem continue:
>
>-
>Module: Instantiated radutmp (radutmp)
>Listening on authentication *:1812
>Listening on accounting *:1813
>Ready to process requests.
>rad_recv: Access-Request packet from host 150.162.67.254:32858, id=109,
>length=53
>Service-Type = Framed-User
>Framed-Protocol = PPP
>User-Name = "douglas"
>NAS-IP-Address = 1.1.1.1
>NAS-Port = 0

This is nothing to do with freeradius. I don't see your NAS sending
mschap attributes.

>In PPTP debug show:
>
..
>Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute 11
>Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute 25

Has your radius client got mschap dictionary?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Hey TNT,

On Thu, Nov 27, 2008 at 2:54 PM, <[EMAIL PROTECTED]> wrote:

> >i force in WIndows Client to use only mschap2, but the problem continue:
> >
> >-
> >Module: Instantiated radutmp (radutmp)
> >Listening on authentication *:1812
> >Listening on accounting *:1813
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 150.162.67.254:32858, id=109,
> >length=53
> >Service-Type = Framed-User
> >Framed-Protocol = PPP
> >User-Name = "douglas"
> >NAS-IP-Address = 1.1.1.1
> >NAS-Port = 0
>
> This is nothing to do with freeradius. I don't see your NAS sending
> mschap attributes.
>

How I can fix that? Where i configure that?


>
> >In PPTP debug show:
> >
> ..
> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute 11
> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown attribute 25
>
> Has your radius client got mschap dictionary?
>

I'm using the RadiusClient1 of Debian.

--
epiderme:/etc/radiusclient# ls -l
total 52
-rw-r--r-- 1 root root  6502 2008-11-26 13:10 dictionary
-rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
-rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
-rw-r--r-- 1 root root   599 2006-10-29 08:54 dictionary.merit
-rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
-rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
-rw-r--r-- 1 root root  2630 2008-11-24 15:24 radiusclient.conf
-rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
-rw--- 1 root root   272 2008-11-24 13:12 servers
--

--
epiderme:/etc/radiusclient# cat radiusclient.conf
auth_order  radius,local
login_tries 4
login_timeout   60
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver  ldap.telemedicina.ufsc.br
acctserver  ldap.telemedicina.ufsc.br
servers /etc/radiusclient/servers
dictionary  /etc/radiusclient/dictionary
login_radius/usr/sbin/login.radius
seqfile /var/run/radius.seq
mapfile /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local /bin/login
--


But I don't found the attributes to MS-CHAP:

--
epiderme:/etc/radiusclient# cat dictionary | grep MS-CHAP
epiderme:/etc/radiusclient# cat dictionary | grep MSCHAP
epiderme:/etc/radiusclient# cat dictionary | grep mschap
--

Just to CHAP:

--
epiderme:/etc/radiusclient# cat dictionary | grep -i chap
ATTRIBUTE   CHAP-Password   3   string
ATTRIBUTE   Chap-Challenge  60  string
--

That's correct?

Thanks a lot in advanced,
Douglas


>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Douglas Macedo
[EMAIL PROTECTED]
--
Avalia-se a inteligência de um indivíduo pela quantidade de incertezas que
ele é capaz de suportar.
(Immanuel Kant)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Alexandre Chapellon]

Le 27.11.2008 07:17, Douglas Macedo a écrit :
> Hey TNT,
>
> On Thu, Nov 27, 2008 at 2:54 PM, <[EMAIL PROTECTED]
> > wrote:
>
> >i force in WIndows Client to use only mschap2, but the problem
> continue:
> >
> >-
> >Module: Instantiated radutmp (radutmp)
> >Listening on authentication *:1812
> >Listening on accounting *:1813
> >Ready to process requests.
> >rad_recv: Access-Request packet from host 150.162.67.254:32858
> , id=109,
> >length=53
> >Service-Type = Framed-User
> >Framed-Protocol = PPP
> >User-Name = "douglas"
> >NAS-IP-Address = 1.1.1.1 
> >NAS-Port = 0
>
> This is nothing to do with freeradius. I don't see your NAS sending
> mschap attributes.
>
>
> How I can fix that? Where i configure that?
>  
>
>
> >In PPTP debug show:
> >
> ..
> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
> attribute 11
> >Nov 27 11:35:39 epiderme pppd[12254]: rc_avpair_new: unknown
> attribute 25
>
> Has your radius client got mschap dictionary?
>
>
> I'm using the RadiusClient1 of Debian.
>
> --
> epiderme:/etc/radiusclient# ls -l
> total 52
> -rw-r--r-- 1 root root  6502 2008-11-26 13:10 dictionary
> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
> -rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
> -rw-r--r-- 1 root root   599 2006-10-29 08:54 dictionary.merit
> -rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
> -rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
> -rw-r--r-- 1 root root  2630 2008-11-24 15:24 radiusclient.conf
> -rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
> -rw--- 1 root root   272 2008-11-24 13:12 servers
> --

Copy microsoft dictionnary from your freeradius install to your pptp
server, and add it to the dictionnary list.
Additionnaly (this may not be related to your problem) having multiple 
require- in pptpd config is a non-sense, if you want to
enable multiples protocols for authentications, use +pap, +chap,
+mschap instead of require-...

>
> --
> epiderme:/etc/radiusclient# cat radiusclient.conf
> auth_order  radius,local
> login_tries 4
> login_timeout   60
> nologin /etc/nologin
> issue   /etc/radiusclient/issue
> authserver  ldap.telemedicina.ufsc.br
> 
> acctserver  ldap.telemedicina.ufsc.br
> 
> servers /etc/radiusclient/servers
> dictionary  /etc/radiusclient/dictionary
> login_radius/usr/sbin/login.radius
> seqfile /var/run/radius.seq
> mapfile /etc/radiusclient/port-id-map
> default_realm
> radius_timeout  10
> radius_retries  3
> login_local /bin/login
> --
>
>
> But I don't found the attributes to MS-CHAP:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep MS-CHAP
> epiderme:/etc/radiusclient# cat dictionary | grep MSCHAP
> epiderme:/etc/radiusclient# cat dictionary | grep mschap
> --
>
> Just to CHAP:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep -i chap
> ATTRIBUTE   CHAP-Password   3   string
> ATTRIBUTE   Chap-Challenge  60  string
> --
>
> That's correct?
No you need MS-CHAP Attributes
>
> Thanks a lot in advanced,
> Douglas
>  
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
>
> -- 
> Douglas Macedo
> [EMAIL PROTECTED] 
> --
> Avalia-se a inteligência de um indivíduo pela quantidade de incertezas
> que ele é capaz de suportar.
> (Immanuel Kant)
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Hey,

i copy the dictionary to /etc/radiusclient. But now the connections don't
target the Radius Server.

--
epiderme:/etc/radiusclient# ls -l
total 68
-rw-r--r-- 1 root root  6593 2008-11-27 15:02 dictionary
-rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
-rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
-rw-r--r-- 1 root root   646 2008-11-27 14:20 dictionary.merit
-rw-r--r-- 1 root root   599 2008-11-27 14:20 dictionary.merit.BKP
-rwxr-xr-x 1 root root  3639 2008-11-27 14:42 dictionary.microsoft
-rwxr-xr-x 1 root root  2697 2008-11-27 14:20 dictionary.microsoft.BKP
-rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
-rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
-rw-r--r-- 1 root root   508 2008-11-27 13:29 radiusclient.conf
-rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
-rw-r--r-- 1 root root   435 2008-11-27 12:17 radiusclient.conf.LIMPO
-rw--- 1 root root   272 2008-11-24 13:12 servers
--

And include on dictionary:

--
epiderme:/etc/radiusclient# cat dictionary | grep INCLUDE
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft
--

Now, the pptp log:

--
Nov 27 15:14:32 epiderme pptpd[13058]: MGR: Launching /usr/sbin/pptpctrl to
handle client
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: local address = 150.162.67.200
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: remote address = 150.162.67.201
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pppd options file =
/etc/ppp/pptpd-options
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54 control
connection started
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
(type: 1)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a START CTRL CONN RPLY
packet
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 156 bytes to the
client.
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
(type: 7)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Set parameters to 1
maxbps, 64 window size
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a OUT CALL RPLY packet
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Starting call (launching pppd,
opening GRE)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pty_fd = 6
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: tty_fd = 7
Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): program binary
= /usr/sbin/pppd
Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): local address =
150.162.67.200
Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): remote address
= 150.162.67.201
Nov 27 15:14:32 epiderme pppd[13059]: Plugin radius.so loaded.
Nov 27 15:14:32 epiderme pppd[13059]: RADIUS plugin initialized.
Nov 27 15:14:32 epiderme pppd[13059]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so
loaded.
Nov 27 15:14:32 epiderme pppd[13059]: pptpd-logwtmp: $Version$
Nov 27 15:14:32 epiderme pppd[13059]: pppd 2.4.4 started by root, uid 0
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 32 bytes to the client.
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
Nov 27 15:14:32 epiderme pppd[13059]: using channel 322
Nov 27 15:14:32 epiderme pppd[13059]: Using interface ppp0
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
(type: 15)
Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Got a SET LINK INFO packet with
standard ACCMs
Nov 27 15:14:32 epiderme pppd[13059]: Connect: ppp0 <--> /dev/pts/2
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfReq id=0x1 ]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: Bad checksum from pppd.
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #0
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x0 
   ]
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfRej id=0x0 ]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #1
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfAck id=0x1 ]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #2
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x1 
  ]
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfAck id=0x1 
  ]
Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP EchoReq id=0x0
magic=0x35f8d0db]
Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Challenge id=0x43
<8643b88179a03fce2ca15689bf84147b>, name = "pptpd"]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #3
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #4
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #5
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x2
magic=0x31fa2cf6 "MSRASV5.10"]
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP Ident id=0x3
magic=0x31fa2cf6 "MSRAS-0-MOLAR"]
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP EchoRep id=0x0
magic=0x31fa2cf6]
Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #6
Nov 27 15:14:32 epiderme pppd[13059]: rcvd [CHAP Response id=0x43
<318ca3c0e7f2e099a1f93ed8ca10717e00

Re: PPTP + FreeRadius + LDAP

[Alexandre Chapellon]

Le 27.11.2008 10:15, Douglas Macedo a écrit :
> Hey,
>
> i copy the dictionary to /etc/radiusclient. But now the connections
> don't target the Radius Server.
> --
> epiderme:/etc/radiusclient# ls -l
> total 68
> -rw-r--r-- 1 root root  6593 2008-11-27 15:02 dictionary
> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
> -rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
> -rw-r--r-- 1 root root   646 2008-11-27 14:20 dictionary.merit
> -rw-r--r-- 1 root root   599 2008-11-27 14:20 dictionary.merit.BKP
> -rwxr-xr-x 1 root root  3639 2008-11-27 14:42 dictionary.microsoft
> -rwxr-xr-x 1 root root  2697 2008-11-27 14:20 dictionary.microsoft.BKP
> -rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
> -rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
> -rw-r--r-- 1 root root   508 2008-11-27 13:29 radiusclient.conf
> -rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
> -rw-r--r-- 1 root root   435 2008-11-27 12:17 radiusclient.conf.LIMPO
> -rw--- 1 root root   272 2008-11-24 13:12 servers
> --
>
> And include on dictionary:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep INCLUDE
> INCLUDE /etc/radiusclient/dictionary.merit
> INCLUDE /etc/radiusclient/dictionary.microsoft
> --
>
> Now, the pptp log:

Weird! you don't receive request on radius anymore?

>
> --
> Nov 27 15:14:32 epiderme pptpd[13058]: MGR: Launching
> /usr/sbin/pptpctrl to handle client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: local address =
> 150.162.67.200 
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: remote address =
> 150.162.67.201 
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pppd options file =
> /etc/ppp/pptpd-options
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54
>  control connection started
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control
> Message (type: 1)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a START CTRL CONN
> RPLY packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 156 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control
> Message (type: 7)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Set parameters to
> 1 maxbps, 64 window size
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a OUT CALL RPLY packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Starting call (launching
> pppd, opening GRE)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pty_fd = 6
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: tty_fd = 7
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): program
> binary = /usr/sbin/pppd
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): local
> address = 150.162.67.200 
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): remote
> address = 150.162.67.201 
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin radius.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: RADIUS plugin initialized.
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin
> /usr/lib/pptpd/pptpd-logwtmp.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: pptpd-logwtmp: $Version$
> Nov 27 15:14:32 epiderme pppd[13059]: pppd 2.4.4 started by root, uid 0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 32 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pppd[13059]: using channel 322
> Nov 27 15:14:32 epiderme pppd[13059]: Using interface ppp0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control
> Message (type: 15)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Got a SET LINK INFO
> packet with standard ACCMs
> Nov 27 15:14:32 epiderme pppd[13059]: Connect: ppp0 <--> /dev/pts/2
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfReq id=0x1
> ]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: Bad checksum from pppd.
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #0
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x0  1400>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfRej id=0x0
> ]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #1
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfAck id=0x1
> ]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #2
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x1  1400>   ]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfAck id=0x1  1400>   ]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP EchoReq id=0x0
> magic=0x35f8d0db]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [CHAP Challenge id=0x43
> <8643b88179a03fce2ca15689bf84147b>, name = "pptpd"]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #3
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #4
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #5
> 

Re: PPTP + FreeRadius + LDAP

[Douglas Macedo]

Alexandre,

that's work. The problem is that the dictionaries of radiusclient, isn't
correct. The default microsoft dictionary don't work perfectly.

I use this page to modify my dictionary.microsoft:

http://wiki.freeradius.org/PopTop#The_radiusclient_setup_part_.28on_the_Poptop_server.29

Now thats fine!!

Thanks a lot all!! Thanks ..

Cheers,
Douglas

On Thu, Nov 27, 2008 at 6:40 PM, Alexandre Chapellon <
[EMAIL PROTECTED]> wrote:

>
>
> Le 27.11.2008 10:15, Douglas Macedo a écrit :
>
> Hey,
>
> i copy the dictionary to /etc/radiusclient. But now the connections don't
> target the Radius Server.
> --
> epiderme:/etc/radiusclient# ls -l
> total 68
> -rw-r--r-- 1 root root  6593 2008-11-27 15:02 dictionary
> -rw-r--r-- 1 root root 12388 2006-10-29 08:54 dictionary.ascend
> -rw-r--r-- 1 root root  1517 2006-10-29 08:54 dictionary.compat
> -rw-r--r-- 1 root root   646 2008-11-27 14:20 dictionary.merit
> -rw-r--r-- 1 root root   599 2008-11-27 14:20 dictionary.merit.BKP
> -rwxr-xr-x 1 root root  3639 2008-11-27 14:42 dictionary.microsoft
> -rwxr-xr-x 1 root root  2697 2008-11-27 14:20 dictionary.microsoft.BKP
> -rw-r--r-- 1 root root   135 2006-10-29 08:54 issue
> -rw-r--r-- 1 root root   410 2006-10-29 08:54 port-id-map
> -rw-r--r-- 1 root root   508 2008-11-27 13:29 radiusclient.conf
> -rwxr-xr-x 1 root root  2621 2008-11-24 13:33 radiusclient.conf.EPI
> -rw-r--r-- 1 root root   435 2008-11-27 12:17 radiusclient.conf.LIMPO
> -rw--- 1 root root   272 2008-11-24 13:12 servers
> --
>
> And include on dictionary:
>
> --
> epiderme:/etc/radiusclient# cat dictionary | grep INCLUDE
> INCLUDE /etc/radiusclient/dictionary.merit
> INCLUDE /etc/radiusclient/dictionary.microsoft
> --
>
> Now, the pptp log:
>
>
> Weird! you don't receive request on radius anymore?
>
>
>
> --
> Nov 27 15:14:32 epiderme pptpd[13058]: MGR: Launching /usr/sbin/pptpctrl to
> handle client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: local address =
> 150.162.67.200
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: remote address =
> 150.162.67.201
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pppd options file =
> /etc/ppp/pptpd-options
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Client 150.162.67.54 control
> connection started
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
> (type: 1)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a START CTRL CONN RPLY
> packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 156 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
> (type: 7)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Set parameters to 1
> maxbps, 64 window size
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Made a OUT CALL RPLY packet
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Starting call (launching pppd,
> opening GRE)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: pty_fd = 6
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: tty_fd = 7
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): program binary
> = /usr/sbin/pppd
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): local address
> = 150.162.67.200
> Nov 27 15:14:32 epiderme pptpd[13059]: CTRL (PPPD Launcher): remote address
> = 150.162.67.201
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin radius.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: RADIUS plugin initialized.
> Nov 27 15:14:32 epiderme pppd[13059]: Plugin
> /usr/lib/pptpd/pptpd-logwtmp.so loaded.
> Nov 27 15:14:32 epiderme pppd[13059]: pptpd-logwtmp: $Version$
> Nov 27 15:14:32 epiderme pppd[13059]: pppd 2.4.4 started by root, uid 0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: I wrote 32 bytes to the
> client.
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Sent packet to client
> Nov 27 15:14:32 epiderme pppd[13059]: using channel 322
> Nov 27 15:14:32 epiderme pppd[13059]: Using interface ppp0
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Received PPTP Control Message
> (type: 15)
> Nov 27 15:14:32 epiderme pptpd[13058]: CTRL: Got a SET LINK INFO packet
> with standard ACCMs
> Nov 27 15:14:32 epiderme pppd[13059]: Connect: ppp0 <--> /dev/pts/2
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfReq id=0x1  0x0>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: Bad checksum from pppd.
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #0
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x0 
>]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfRej id=0x0  CBCP>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #1
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfAck id=0x1  0x0>]
> Nov 27 15:14:32 epiderme pptpd[13058]: GRE: accepting packet #2
> Nov 27 15:14:32 epiderme pppd[13059]: rcvd [LCP ConfReq id=0x1 
>   ]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP ConfAck id=0x1 
>   ]
> Nov 27 15:14:32 epiderme pppd[13059]: sent [LCP EchoReq id=0x0
> magic=0x3

Re: FreeRADIUS LDAP HOWTO

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Andrew Hall wrote:
> I'd just like to make other subscribers / searchers / admins
> pulling their hair out aware of the FreeRADIUS LDAP HOWTO available
> here...
>
> http://freeradius.org/radiusd/doc/ldap_howto.txt
>
> For some reason it doesn't seem to be linked to on any main website
> or wiki page - bizarrely including the HOWTO page...
Maybe because it was written 6 years ago, and very few of the
freeRADIUS 1.* examples will still work with 2
>
> http://wiki.freeradius.org/HOWTO
>
> Perhaps this can be rectified?
>
> I wish I'd found it earlier !
>
> Thanks. - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmWorMACgkQcaklux5oVKJasgCfTj9TvK9LXeKHugJ8d3C4711V
0cQAnj/btoBsz+Nu/e47+E/Vd95Xjk5U
=nMqf
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS LDAP HOWTO

[Andrew Hall]

Arran Cudbard-Bell wrote...

> Maybe because it was written 6 years ago, and very few of the
> freeRADIUS 1.* examples will still work with 2

I see your point but why deny users access to this information ?

Surely all that's required is a note informing them of this.

I administer a legacy 1.x server so this helped me and may help others.

Perhaps the original author (are they still about?) or someone else
could update this document.

On a similar note does anyone know if O'Reilly plan to update their RADIUS book?

Both that and the LDAP book are now well out of date.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS LDAP HOWTO

[Alan DeKok]

Andrew Hall wrote:
> On a similar note does anyone know if O'Reilly plan to update their RADIUS 
> book?

  They don't.  The book sold well initially (i.e. the first few months).
 After that, people realized it was less than helpful.

  I've been trying to write a book for a while.  I've recently found
someone who can help, so that should shorten the time frame.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS LDAP HOWTO

[Mihamina Rakotomandimby (R12y)]

Arran Cudbard-Bell wrote:

http://freeradius.org/radiusd/doc/ldap_howto.txt
For some reason it doesn't seem to be linked to on any main website
or wiki page - bizarrely including the HOWTO page...
Maybe because it was written 6 years ago, 


Is someone aare of any up to date one?

--
Chef de projet chez Vectoris
http://www.google.com/search?q=mihamina+rakotomandimby
System: xUbuntu 8.10 with almost all from package install
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS LDAP HOWTO

[Alan DeKok]

Mihamina Rakotomandimby (R12y) wrote:
> Arran Cudbard-Bell wrote:
>>> http://freeradius.org/radiusd/doc/ldap_howto.txt
>>> For some reason it doesn't seem to be linked to on any main website
>>> or wiki page - bizarrely including the HOWTO page...
>> Maybe because it was written 6 years ago, 
> 
> Is someone aare of any up to date one?

  Feel free to submit an updated one.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS LDAP HOWTO

[Michael Schwartzkopff]

Am Montag, 16. Februar 2009 07:37:10 schrieb Alan DeKok:
> Mihamina Rakotomandimby (R12y) wrote:
> > Arran Cudbard-Bell wrote:
> >>> http://freeradius.org/radiusd/doc/ldap_howto.txt
> >>> For some reason it doesn't seem to be linked to on any main website
> >>> or wiki page - bizarrely including the HOWTO page...
> >>
> >> Maybe because it was written 6 years ago,
> >
> > Is someone aare of any up to date one?
>
>   Feel free to submit an updated one.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

If I have time I will write something.

Michael.
-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: mi...@multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS LDAP HOWTO

[Mihamina Rakotomandimby (R12y)]

Michael Schwartzkopff wrote:

http://freeradius.org/radiusd/doc/ldap_howto.txt
For some reason it doesn't seem to be linked to on any main website
or wiki page - bizarrely including the HOWTO page...

Maybe because it was written 6 years ago,

Is someone aare of any up to date one?

  Feel free to submit an updated one.

If I have time I will write something.


Have you got some draft? on which we can begin to work?

--
Chef de projet chez Vectoris
http://www.google.com/search?q=mihamina+rakotomandimby
System: xUbuntu 8.10 with almost all from package install
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS LDAP HOWTO

[Michael Schwartzkopff]

Am Montag, 16. Februar 2009 08:46:17 schrieb Mihamina Rakotomandimby (R12y):
> Michael Schwartzkopff wrote:
> > http://freeradius.org/radiusd/doc/ldap_howto.txt
> > For some reason it doesn't seem to be linked to on any main website
> > or wiki page - bizarrely including the HOWTO page...
> 
>  Maybe because it was written 6 years ago,
> >>>
> >>> Is someone aare of any up to date one?
> >>
> >>   Feel free to submit an updated one.
> >
> > If I have time I will write something.
>
> Have you got some draft? on which we can begin to work?

The best doc I found yet is rlm_ldap.
Years ago I wrote an article for german Linuxmagazin which later was also 
published in the international journal. See:
http://www.linux-magazine.com/issue/52/Freeradius_802.1X.pdf

But this is for version 1 of FreeRADIUS.

The main difference between both FR versions i nrespect to LDAP is that nearly 
everything works now by default. Just remove the comments from the ldap 
entries in the config files. No change in the users file needed any more.

About the HOWTO: Nothing up to now. My time is quite limited. Sorry.

Michael.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: mi...@multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Secure FreeRADIUS & LDAP

[tnt]

># Can freeradius talk to the ldap box using TLS/SSL (ldaps)

Yes. See tls section in ldap module.

># Can freeradius read hashed credentials from the LDAP store and then
>actually use them???

Yes. You will have to enable auto-headers in pap module if you are
storing them with headers in userPassword.

># There may be a requirement to use certificates for auth, can the
>ldap/freeradius module handle certs???

Yes.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Secure FreeRADIUS & LDAP

[Dan Hawker]

Cool, thanks for the info Ivan. Will give it a go and report back

Thanks again

Dan

2009/2/20  :
>># Can freeradius talk to the ldap box using TLS/SSL (ldaps)
>
> Yes. See tls section in ldap module.
>
>># Can freeradius read hashed credentials from the LDAP store and then
>>actually use them???
>
> Yes. You will have to enable auto-headers in pap module if you are
> storing them with headers in userPassword.
>
>># There may be a requirement to use certificates for auth, can the
>>ldap/freeradius module handle certs???
>
> Yes.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



-- 
--
Dan Hawker
danhaw...@googlemail.com
07773 348975
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html