Re: FreeRadius error LDAP Authentication
You shouldn't have quotes around your username or domain. You should use identity = cn=user,ou=people,dc=domain,dc=it On 19/07/2013 7:05 PM, Marco Aresu marcoar...@gmail.com wrote: Hi All, i am new about FreeRadius. I am moving from Cisco ACS Tacacs to FreeRadius. During LDAP configuration i am getting the follow error : [ldap] bind as cn=User,ou=people,dc=domain,dc=it/Password to ldapserver:636 [ldap] waiting for bind result ... [ldap] cn=user,ou=people,dc=domain,dc=it bind to ldapServer:636 failed No such object [ldap] (re)connection attempt failed Any idea about the error? Below the ldap configuration server = ldapserver port = 636 identity = cn=user,ou=people,dc=domain,dc=it password = password basedn = dc=domain,dc=it filter = (uid=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=groupofuniquenames) Thanks Marco Aresu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Freeradius 3 LDAP Generic Attributes
The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... Best Regards, -Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
On 12 Apr 2013, at 15:00, Nicholas Lemberger nick.lember...@lkfd.net wrote: The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... I was thinking just adding a valuepair_attr = blah config item in the ldap config and then doing exactly what you suggested above. It's not much work, i'll take a look at it later today or tomorrow. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
On 12 Apr 2013, at 15:21, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 12 Apr 2013, at 15:00, Nicholas Lemberger nick.lember...@lkfd.net wrote: The ldap.attrmap syntax in FR2 was: checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem Basically the ldap attributes radiusCheckItem radiusReplyItem contained FR attr/value pairs which were then added to the corresponding attribute list in FR (e.g. in LDAP radiusReplyItem could be Primary-DNS-Server := 1.1.1.1). They wouldn't necessarily need to be distinct check/reply attributes in the new rlm_ldap... it could work more like unlang where an LDAP attribute value could be control:Disabled := true, and where if the list: portion is omitted it would default to reply. No matter how this happens, there's probably going to need to be a special case syntax made in the rlm_ldap attribute mapping... I was thinking just adding a valuepair_attr = blah config item in the ldap config and then doing exactly what you suggested above. It's not much work, i'll take a look at it later today or tomorrow. Done, but somebody's new xlat parser is segfaulting so i'd wait until tomorrow for that to be fixed before testing. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 3 LDAP Generic Attributes
I've been puttering around with FR3 and haven't been able to figure out how to set up a mapping from LDAP 'radiusReplyItem' 'radiusCheckItem' attributes to FR3 generic attributes. I guess if it was useful we could add it back in, there's no real reason not to. Could you remind me what the value format was? While we do often create a special LDAP attribute for what we need, the generic attributes in FR2 made testing and certain one-off configurations much quicker. Ok. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team Please contribute documentation: http://wiki.freeradius.org Stupidity is a harsh teacher and her lesson is pain - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with ldap
Marlos Alex wrote: I'm in trouble and I think that freeradius is, can anyone help me, I configured theldap group and created a wireless and want only the users of this group to accessmy wifi network? Examples of LDAP group checking are in the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with ldap
The FAQ gives a *very* basic and less than complete example of using groups. I found an old maillist entry that might be of help here. - http://lists.freeradius.org/pipermail/freeradius-users/2007-June/019764.html I'm trying to do something similar and I'm having trouble getting radius to be able to successfully validate a user as part of a group. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-with-ldap-tp5713478p5713482.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
Hi, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? if you read the output of ./configure eg ./confogure | grep WARN you will see what LDAP stuff is required - openldap alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis sym...@gmail.com wrote: Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Try libldap2-dev. That's what on Build-Depends section on debian/control. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
Hello Everyone, I do have libldap2-dev installed however, it seems like openldap in all it's totality is needed? Thanks in Advnace, Nick. On Thu, Dec 8, 2011 at 5:31 AM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Dec 8, 2011 at 9:51 AM, Nick Khamis sym...@gmail.com wrote: Hello Everyone, I tried to compile FreeRADIUS with LDAP support however, rlm_ldap has not been compiled. Are libldap-2.4-2 libldap-dev not sufficent? Do I need to install OpenLDAP? Try libldap2-dev. That's what on Build-Depends section on debian/control. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP Support
On 12/08/2011 01:11 PM, Nick Khamis wrote: Hello Everyone, I do have libldap2-dev installed however, it seems like openldap in all it's totality is needed? What is needed will be listed in the output of configure. Also listed will be where configure looked for the dependency. You should read this. Usually you'll need the headers and libraries, but they may be located in non-standard locations, if so you'll have to tell configure where to find them. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Thank you. I have tried those options, but they doesn't work for me. The problem is that they configure freeradius to send TCP Keepalive messages over the connection, but these packets are just TCP packets, they don't content any ldap command, so openldap idle_timeout is still applied. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Angel L. Mateo wrote: Thank you. I have tried those options, but they doesn't work for me. The problem is that they configure freeradius to send TCP Keepalive messages over the connection, but these packets are just TCP packets, they don't content any ldap command, so openldap idle_timeout is still applied. Well... poke the server occasionally using radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Angel L. Mateo wrote: I have a freeradius 2.1.10 running in a ubuntu (10.04) server. My users are in a ldap directory. The problem I have is that openldap server has an idle timeout (if there is more than this time with an idle connection, openldap closes the connection). So I want to know if there is some way to configure a keepalive on the ldap connection of freeradius. ... Is there any way to configure this keepalive? In 2.1.12, the keepalive configuration is documented in raddb/modules/ldap Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
El 07/09/11 13:02, Alan DeKok escribió: Angel L. Mateo wrote: I have a freeradius 2.1.10 running in a ubuntu (10.04) server. My users are in a ldap directory. The problem I have is that openldap server has an idle timeout (if there is more than this time with an idle connection, openldap closes the connection). So I want to know if there is some way to configure a keepalive on the ldap connection of freeradius. ... Is there any way to configure this keepalive? In 2.1.12, the keepalive configuration is documented in raddb/modules/ldap I didn't find any 2.1.12 freeradius version (the latest version at freeradius web is 2.1.11). In 2.1.11 (and 2.1.10) the options I have found that could be related are: * ldap_connections_number: number of active ldap connections (although I have this value configured as 15, I can only see one active connection with netstat) * timeout: Timeout to finish a query * timelimit: Timeout that the ldap server has to finish the query * net_timetout: Seconds to wait for resopnse of the server As far as I understand, none of these values is for a keepalive. Is there any other parameter? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP keepalive
Angel L. Mateo wrote: I didn't find any 2.1.12 freeradius version (the latest version at freeradius web is 2.1.11). In 2.1.11 (and 2.1.10) the options I have found that could be related are: 2.1.12 will be released soon. * ldap_connections_number: number of active ldap connections (although I have this value configured as 15, I can only see one active connection with netstat) * timeout: Timeout to finish a query * timelimit: Timeout that the ldap server has to finish the query * net_timetout: Seconds to wait for resopnse of the server As far as I understand, none of these values is for a keepalive. Is there any other parameter? See https://github.com/alandekok/freeradius-server/tree/v2.1.x Download a tar file. It is a pre-release version of 2.1.12. Then see raddb/modules/ldap, as I suggested. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hi, You can add NT / LM pairs to each LDAP user object. You must include the samba.schema into the ldap server schemas. Ex: sambaNTPassword: CAF13D4F321E608B27FD75D2549BA53C sambaLMPassword: 02D093CE93038E2FAAD3B435B51404EE You can create these passwords using smbencrypt tool (deployed with samba). This way pptp MSCHAP auth will work. Nelson Vale On Monday 05 July 2010 16:59:08 Daniel Gomes wrote: Dear list, I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). First of all, on the pptpd server's side (which I know it's not your jurisdiction, so I'll be fast here), I have the require-mschap-v2 and require-mppe options enabled. As for freeradius itself, a summarized sites-enabled/default reads: authorize { preprocess pap mschap ldap auth_log eap { ok = return } expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } My modules/ldap contains all the necessary information, and my modules/mschap has the options use_mppe, require_encryption and require_strong enabled, like most tutorials state. As for the results, radtest works fine (querying LDAP etc), but through pptd it always fails with this error: rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = dgomes MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 MS-CHAP2-Response = 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf6 8cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200 NAS-IP-Address = 193.136.136.40 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [ldap] performing user authorization for dgomes WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes) expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt - ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 rlm_ldap: bind as cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to gold.ipfn.ist.utl.pt:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, with filter (cn=dgomes) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user dgomes authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y %m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 expand: %t - Thu Jul 8 14:08:34 2010 ++[auth_log] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - dgomes attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request -- I know that the error should be enough for me to fix it (since it's quite explanatory), but after trying many different configurations and searching through dozens of old mailing lists posts, I still haven't managed it... So yeah, of you could help me out,
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Hey there, first of all, thanks for all the tips! Commenting them, in the order in which they came: @peter lambrechtsen: I actually had tried PAP before, but I gave up then because pptpd was refusing clients without even consulting the RADIUS server... But I noticed (a couple of minutes ago) that I had the client (ie. Windows) configured to try MS-CHAP and not PAP... @ nf-vale: nice detailed description on how to fix it, but I ended up using peter's solution, as it seemed easier. @ana dekok (inline comments): Em 09-07-2010 11:23, Alan DeKok escreveu: Daniel Gomes wrote: I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). Go read the debug log. It's not finding the password for the user. Fix that. So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even a requirement for me here, since both services are on the same machine, so there's not even the need for safe connections. So long as it works, I really don't care about any particular configuration! A simple LDAP query for the user is *not* returning a password. That's the problem. Does the user even have a password in LDAP? From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Anyway, once again, thanks for all the tips! It seems to be working fine with PAP, so I guess I'll go with it! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Wrong guess, i'ts OpenLDAP :) Em 09-07-2010 13:04, Alan DeKok escreveu: Daniel Gomes wrote: From the logs, and as I wrote on my initial cry for help, I could see that the password wasn't being found, I just couldn't puzzle out why... And yes, the users do have passwords on LDAP (we are using it to authenticate many other applications), and as I wrote down, radtest was working fine, so freeradius was able to authenticate users via LDAP. Let me guess: it's Active Directory. Active Directory is *not* a real LDAP server. In order to authenticate users with MS-CHAP, you will need to install Samba. See the Active Directory howto on http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services). The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Em 09-07-2010 13:35, Alan DeKok escreveu: Daniel Gomes wrote: Wrong guess, i'ts OpenLDAP :) Then fix it so that it returns a password to FreeRADIUS. It's an LDAP server. If it doesn't return a password when an LDAP client queries it for a password, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 13:59, Alan DeKok escreveu: Daniel Gomes wrote: Well, as I mentioned (a couple of times now), the LDAP server was indeed returning a password to FreeRADIUS, since radtest was always working fine. No, it wasn't returning a password to FreeRADIUS. Go *read* the debug output. It will prove this. When using PAP, the LDAP module looks for a password. If it doesn't get one, it then tries to do bind as user. That is, it hands the username password to the LDAP server, and asks are these OK? When this happens, you're making your LDAP server do user authentication. This is wrong. LDAP is a database. RADIUS is an authentication server. Ok, thanks, now I see the difference. I did read the debug output, and again, I understood that FreeRADIUS was having problems getting the userPassword, I just couldn't understand why. For a layman such as myself, if it worked with radtest it followed that it should work with MS-CHAP too. With this explanation, now I understand why it didn't. So the problem wasn't in the LDAP server itself, because it does return a password when an LDAP client queries it for a password (as I also mentioned it, we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. The problem was really related to MS-CHAP, and now that I changed to PAP, it all seems to be working fine... Yes. For the reasons outlined above. Your situation *isn't* the first time someone has had this issue. We're familiar with the problem solution, where you are clearly not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! Cheers, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Em 09-07-2010 17:12, Alan DeKok escreveu: Daniel Gomes wrote: we are currently and successfully using it to authenticate other services).\ Using PAP passwords. Actually these application are probably just binding with the user's credentials, but that's not relevant here. sigh That's what I meant. Well, it doesn't help me much if you say you know the problem and its solution, but then don't tell me how to fix it. OpenLDAP has documentation on how to make it return passwords when an LDAP client asks for them. We don't tend to copy that documentation here. And I know I'm not the first one to have these issues, I started from the beginning by saying that I read everything I could find about it on the Internet, tried to fix the problem many times and only then I came here, asking for help. Sorry for wasting your time!... And btw, your aggressive attitude doesn't really help anyone. Sorry... but when you ask for help, you shouldn't argue with the answers. Especially when it's clear that you're asking for help because you don't know what's going wrong. Education can be a painful process. Mate, I wasn't arguing in the sense of you're wrong, I was just trying to understand why were you saying that LDAP wasn't working, when it clearly looked like it was. After you explained the difference between PAP and MS-CHAP on the previous email, I could finally understand just that. So thanks once again for the explanation! And yeah, I didn't know what was going on, but that was my reason to come here in the first place! Anyway, after getting it to work with PAP, I followed nf-vale's solution (adding the ntPassword and lmPassword attributes to LDAP) and now it's also working with MS-CHAP. Thanks for the great tip!! That's good to hear. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the patience, -- Daniel Gomes (SysAdmin) dgo...@ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)
Why not setup your NAS to use PAP, instead of MS-CHAP. If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory. It would be far easier to have PAP authentication enabled on your NAS, then it should work fine. On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes dgo...@ipfn.ist.utl.pt wrote: Dear list, I know this is a question which has been thoroughly asked and answered, but after spending several days configuring, debugging, searching the internet, rec-configuring, etc, I still can't get my freeradius server to properly authenticate users (for a pptd server). First of all, on the pptpd server's side (which I know it's not your jurisdiction, so I'll be fast here), I have the require-mschap-v2 and require-mppe options enabled. As for freeradius itself, a summarized sites-enabled/default reads: authorize { preprocess pap mschap ldap auth_log eap { ok = return } expiration logintime } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } My modules/ldap contains all the necessary information, and my modules/mschap has the options use_mppe, require_encryption and require_strong enabled, like most tutorials state. As for the results, radtest works fine (querying LDAP etc), but through pptd it always fails with this error: rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75, length=151 Service-Type = Framed-User Framed-Protocol = PPP User-Name = dgomes MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17 MS-CHAP2-Response = 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3 Calling-Station-Id = 193.136.136.200 NAS-IP-Address = 193.136.136.40 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [ldap] performing user authorization for dgomes WARNING: Deprecated conditional expansion :-. See man unlang for details expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes) expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt - ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0 rlm_ldap: bind as cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to gold.ipfn.ist.utl.pt:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt, with filter (cn=dgomes) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user dgomes authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y %m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708 expand: %t - Thu Jul 8 14:08:34 2010 ++[auth_log] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - dgomes attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request -- I know that the error should be enough for me to fix it (since it's quite explanatory), but after trying many different configurations and searching through dozens of old mailing lists posts, I still haven't managed it... So yeah, of you could help me out, I'd appreciate it! All I want is pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP is not even
Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
You're password needs to be readable in cleartext by FR for anything other than PAP to work. That way FR can hash/encrypt the password out of LDAP on the server side and compare against the hash it gets passed from the client. On Sun, Oct 4, 2009 at 6:07 PM, Ryaz Khan rk...@ezesolve.com wrote: Hi Guys, I am glad to say that I was able to setup *FreeRADIUS ver. 2.1.7* with *LDAP (slapd)* authentication after a continuous research of a whole week. I can authenticate user via LDAP but it only works for PAP, *radtest* tool works, *NTRadPing* works but only when using PAP (un-checking CHAP). I tried every possible option/combination I can think of, but unfortunately none of them worked. I would appreciate if some of you can help me with that or can guide me to the right path Thx guys Ryaz Khan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please
I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP (slapd) authentication after a continuous research of a whole week. I can authenticate user via LDAP but it only works for PAP, radtest tool works, NTRadPing works but only when using PAP (un-checking CHAP). If you have read the comments in ldap module (raddb/modules/ldap) you needn't of wasted your time. Ldap authentication works *only* for PAP. http://deployingradius.com/documents/protocols/oracles.html I would appreciate if some of you can help me with that or can guide me to the right path Use ldap as database and not authentication system. Pass the password from it to freeradius and let freeradius authenticate the user. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
I installed freeradius-server-2.1.6. It is related with a LDAP server.when run radiusd -X there is this error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr Is it needed to install freeradius-ldap or my config may have error? Yes, if you want to use ldap. I downloded freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install it needs libldap_r-2.4.so.2. and searching this file gives openldap that its installing needs dependencies too. What is my mistake? You are not using yum? This is an OS question, so direct it to them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Yum install freeradius-ldap sends this needed too. I installed freeradius-server-2.1.6. It is related with a LDAP server.when run radiusd -X there is this error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr Is it needed to install freeradius-ldap or my config may have error? Yes, if you want to use ldap. I downloded freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install it needs libldap_r-2.4.so.2. and searching this file gives openldap that its installing needs dependencies too. What is my mistake? You are not using yum? This is an OS question, so direct it to them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Hi, I installed freeradius-server-2.1.6. It is related with a LDAP server.when run radiusd -X there is this error: /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr Is it needed to install freeradius-ldap or my config may have error? I downloded freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install it needs libldap_r-2.4.so.2. and searching this file gives openldap that its installing needs dependencies too. What is my mistake? if you installed freeradius from YUM it looks like it didnt pull in dependencies. for LDAP functionality, you'll need to install openldap and all of its dependencies. if you built from source, you'll also need the openldap-devel package too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Yes but yum install version 1.1.3 and I want to use reply-name item that is in version 2.1.6. if you installed freeradius from YUM it looks like it didnt pull in dependencies. for LDAP functionality, you'll need to install openldap and all of its dependencies. if you built from source, you'll also need the openldap-devel package too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ldap
Yes but yum install version 1.1.3 and I want to use reply-name item that is in version 2.1.6. http://wiki.freeradius.org/Red_Hat_FAQ Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Christopher Sheldon wrote: Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? My unhelpful comments are directed at the people who don't read (a) the documentation I already wrote, or (b) the debugging messages I already wrote. Perhaps you could take over the role of cut paste master, where you would cut and paste the existing documentation onto this list for certain people. Failing that, perhaps you could try another method of positive contribution that doesn't involve complaining about me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
daverum...@boothcreek.com wrote: So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. Asking people to read the debug log, as suggested in the FAQ, README, INSTALL, man page, every single howto, and daily on this list? For shame. It's really quite simple. It's a choice. People DON'T read the documentation. They DON'T follow instructions. They DON'T read the debug log. But they get incensed when they get told to read it, and they get incensed when told to follow instructions. Happily, there is a solution. Along with Christopher, you're now the new cut paste master. Please spend a few short hours every day answering questions on this list by cutting pasting answers from the existing documentation. Also, you will need to explain to people that they should run the server in debugging mode. Feel free to *continue* explaining why this is necessary after they have gotten angry at you for not immediately solving their problem. Complaining about *my* behavior is not an option until you've contributed something to the project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Alan often replies immediately with useful information, often for questions which are constantly repeated. I'm personally impressed with his tireless dedication, not only in being one of the primary help desk roles but also in developing the software, both of which you're getting for *free*. I think Alan (and some others) deserve a note of thanks from this community. Folks, get real, this is open source. That means it's a community of volunteers. In open source if you think something is deficient your job is to step up to the plate and contribute for the betterment of everyone. But if instead you feel you need to complain and not contribute then please walk away. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.1.6 ldap + mschapv2 to authenticate
-Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of John Dennis Sent: Thursday, June 25, 2009 8:54 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Alan often replies immediately with useful information, often for questions which are constantly repeated. I'm personally impressed with his tireless dedication, not only in being one of the primary help desk roles but also in developing the software, both of which you're getting for *free*. I think Alan (and some others) deserve a note of thanks from this community. Folks, get real, this is open source. That means it's a community of volunteers. In open source if you think something is deficient your job is to step up to the plate and contribute for the betterment of everyone. But if instead you feel you need to complain and not contribute then please walk away. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I agree wholeheartedly. The documentation is more than adequate. Surprising how much you'll learn by reading it. If you'd prefer Alan spend time answering already answered questions rather than refining/developing freeradius Mearl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your help. I'm pretty new on freeradius. I've been read many how's to, but only in this post I've discovered many things. Alan DeKok-2 wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24187153.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Chris, So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. I hope to post a link giving exact details on how to do auth with ldap using freeradius 2. I also plan to add how to do group auth with unlang. So tired of finding bits and pieces and no one quite giving a how to do in this mailing list. --Original Message-- From: Christopher Sheldon Sender: freeradius-users-bounces+daverummel=boothcreek@lists.freeradius.org To: FreeRadius users mailing list ReplyTo: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Sent: Jun 24, 2009 5:36 PM Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent on the Now Network� from my Sprint® BlackBerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.1.6 ldap + mschapv2 to authenticate
We should start collecting the Best of Alan posts. Any nominations? Tim -Original Message- From: freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of daverum...@boothcreek.com Sent: Wednesday, June 24, 2009 7:56 PM To: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Chris, So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. I hope to post a link giving exact details on how to do auth with ldap using freeradius 2. I also plan to add how to do group auth with unlang. So tired of finding bits and pieces and no one quite giving a how to do in this mailing list. --Original Message-- From: Christopher Sheldon Sender: freeradius-users- bounces+daverummel=boothcreek@lists.freeradius.org To: FreeRadius users mailing list ReplyTo: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Sent: Jun 24, 2009 5:36 PM Does anyone else who subscribes to the list specifically read every email Alan sends just to chuckle at him berating the poor, confused people seeking help? It's like reality TV. ;-) Chris. Alan DeKok wrote: jpablorp wrote: I replace eap.conf with the Default eap.conf file and this is my debug: Where you have *deleted* the real cause of the error. [peap] Had sent TLV failure. User was rejected earlier in this session. Look EARLIER in the debug log for the failure. It's really not hard. Look for words like reject, or fail, or error. The messages will tell you what is wrong, and why. All you need to do is read them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sent on the Now Network from my Sprint® BlackBerry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to authenticate. when I send test from my console, this works fine. But when I try to connect. I don't know what I'm missing. here is my radiusd.conf: Why did you find it necessary to butcher default configuration? Use default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and watch it work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your response. Now I'm using the defaults files and configure the access in modules (raddb/modules/ldap). Now seems like the solution is closer, When I test this appear in my server in debug mode: [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user user authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 189 to 10.14.56.33 port 32768 EAP-Message = 0x040c0004 Message-Authenticator = 0x Waking up in 3.9 seconds. Cleaning up request 1 ID 188 with timestamp +30 Waking up in 1.0 seconds. Cleaning up request 2 ID 189 with timestamp +30 Ready to process requests. I think is problem on mi eap.conf file but I'm no sure what exactly I have to do. Any idea? Ivan Kalik wrote: I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to authenticate. when I send test from my console, this works fine. But when I try to connect. I don't know what I'm missing. here is my radiusd.conf: Why did you find it necessary to butcher default configuration? Use default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and watch it work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24170971.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Thanks for your response. Now I'm using the defaults files and configure the access in modules (raddb/modules/ldap). Now seems like the solution is closer, When I test this appear in my server in debug mode: ... [eap] EAP NAK [eap] NAK asked for unsupported type 25 [eap] No common EAP types found. Well, type 25 is PEAP, and that is defined in eap.conf by default. As are a few others. I think is problem on mi eap.conf file but I'm no sure what exactly I have to do. Any idea? Have you done some strange things to eap.conf or are you using the default one? Default configuration works. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Ivan Kalik wrote: Have you done some strange things to eap.conf or are you using the default one? Default configuration works. I replace eap.conf with the Default eap.conf file and this is my debug: ++[ldap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 198 to 10.14.56.33 port 32768 EAP-Message = 0x040d0004 Message-Authenticator = 0x Waking up in 3.6 seconds. Cleaning up request 1 ID 190 with timestamp +51 Cleaning up request 2 ID 191 with timestamp +51 Cleaning up request 3 ID 192 with timestamp +51 Cleaning up request 4 ID 193 with timestamp +51 Cleaning up request 5 ID 194 with timestamp +51 Cleaning up request 6 ID 195 with timestamp +51 Cleaning up request 7 ID 196 with timestamp +51 Cleaning up request 8 ID 197 with timestamp +51 Waking up in 1.0 seconds. Cleaning up request 9 ID 198 with timestamp +51 I'm missing something? -- View this message in context: http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24173891.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius 2.1 + LDAP Authentication - mschap
[mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for sminhas with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Needs NT/LM passwords (or plain-text) for mschap to work. See perl's Crypt::SmbHash on CPAN for an easy way to generate the hash from plaintext. Look at the samba schema for openLdap, and probably want to compile the smbk5pwd module for openLDAP as well (in the contrib section of the source) to keep your pwds sync'd (also check pam/nssldap conf for passwd changes using LDAP-exop if you let shell accounts change pwds too). -T - Message: 7 Date: Fri, 05 Jun 2009 14:47:36 -0400 From: Nik Alleyne nalle...@brontecollege.ca Subject: FreeRadius 2.1 + LDAP Authentication To: freeradius-users@lists.freeradius.org Message-ID: 20090605144736.cpa0ghg1wk4ok...@mail.brontecollege.ca Content-Type: text/plain; charset=ISO-8859-1 Hi Guys, I'm hoping someone can help me, because I have been fighting with this issue for days now. Environment: FC10 + FreeRadius 2.1 + OpenLdap 2.4. I've successfully setup Certificate Based authentication on my FreeRadius server and that works well. My problem is I have some users I want to authenticate via username and password (EAP-PEAP). I configured FreeRadius for such and my radtest (Access-Accept) works as well as my NTRadPing Utility (Access-Accept) when checked against the users in LDAP. However, I cannot seem to get my Windows XP Wireless Clients to authenticate. Please see my debug info below for a sample user sminhas who has a cleartext LDAP password as it. Thanks for the help. radiusd -X -..snip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius 1.1.6 ldap inner and outer identity
We use freeRadius v 1.1.6 and EAP-TTLS for our WiFi network. FreeRadius uses LDAP for users autentication. It is querying LDAP about inner identities and outer identities (anonymous usually). Is there any way to stop freeRadius from querying LDAP about outer identities? Upgrade. In 2.x inner and outer tunnelare handled by different virtual servers. Enable ldap only for the inner one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRadius 1.1.6 ldap inner and outer identity
Daniel Daza Muñoz wrote: We use freeRadius v 1.1.6 and EAP-TTLS for our WiFi network. FreeRadius uses LDAP for users autentication. It is querying LDAP about inner identities and outer identities (anonymous usually). Is there any way to stop freeRadius from querying LDAP about outer identities? Upgrade to 2.1.6. Newer versions have updated functionality that makes this simple. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and LDAP Groups
You don't need Auth-Type Accept (it will let people in even if the password is wrong). Processing of the users file stops with the first match without Fall-Trough. Ivan Kalik Kalik Informatika ISP Dana 12/12/2008, Tim Gustafson t...@soe.ucsc.edu piše: Add: DEFAULT Auth-Type := Reject Awesome, that worked. So, if I wanted to enable multiple LDAP groups, would this be the correct syntax: DEFAULT LDAP-Group == foo, Auth-Type := Accept DEFAULT LDAP-Group == bar, Auth-Type := Accept DEFAULT LDAP-Group == baz, Auth-Type := Accept DEFAULT Auth-Type := Reject Tim Gustafson SOE Webmaster UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and LDAP Groups
Add: DEFAULT Auth-Type := Reject Awesome, that worked. So, if I wanted to enable multiple LDAP groups, would this be the correct syntax: DEFAULT LDAP-Group == foo, Auth-Type := Accept DEFAULT LDAP-Group == bar, Auth-Type := Accept DEFAULT LDAP-Group == baz, Auth-Type := Accept DEFAULT Auth-Type := Reject Tim Gustafson SOE Webmaster UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and LDAP Groups
In my users I have DEFAULT LDAP-Group == foo However, even with these configuration options set, anyone with a valid login and password can authenticate right now. In my radiusd -X I see: rlm_ldap: performing search in dc=blah, with filter ((cn=foo)(memberUid=test)) rlm_ldap: object not found or got ambiguous search result But it then goes on the authenticate the user anyhow: rlm_ldap: user test authorized to use remote access I looked around on Google, and I see -lots- of stuff about configuring LDAP group checks, but I haven't found anything that's all too helpful right now. Is there some option that I have to set to tell the system to ignore a user that's not in the proper group? Add: DEFAULT Auth-Type := Reject at the end of the users file. If none of the groups match user will be rejected even with the correct password. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.0.5 %{Ldap-UserDn} not correctly expanded ?
[EMAIL PROTECTED] wrote: Trying to setup group membership filtering against LDAP group membership for user authentication and authorization, seems that %{Ldap-UserDn} is not correctly expanded (shown as blank) in my conf. Does anyone experienced same problems or has any idea about what is wrong in my conf ? In 2.0, it's in %{check:LDAP-UserDn}, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Réf. : Re: Freeradius 2.0.5 %{ Ldap-UserDn} not correctly expanded ?
Thanks a lot, that was the point. Pierre [EMAIL PROTECTED] wrote: Trying to setup group membership filtering against LDAP group membership for user authentication and authorization, seems that %{Ldap-UserDn} is not correctly expanded (shown as blank) in my conf. Does anyone experienced same problems or has any idea about what is wrong in my conf ? In 2.0, it's in %{check:LDAP-UserDn}, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html A partir du 30 juin, le siege social et l'adresse postale de La Banque Postale a Paris changent et deviennent: 115, rue de Sevres, 75275 Paris Cedex 06 Le No du standard du Siege Central de la Banque Postale a Paris devient: 01 57 75 60 00 Le papier est un bien precieux, ne le gaspillez pas. N'imprimez ce document que si vous en avez vraiment besoin ! Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Banque Postale, son contenu ne represente en aucun cas un engagement de la part de La Banque Postale. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and LDAP/AD username/password check
Mats Blomgren B wrote: Today I check the etc/passwd for the usernames and passwords and fetches the users default group from etc/passwd. I'm not so sure... #/usr/local/etc/raddb/users DEFAULT Group == admin-network, Auth-Type = System This checks /etc/groups, via the getgrent() call. It sees if the user is a member of that group, not if that is the user's default group. I have been browsing the mailing list, wiki and google trying to find out if anyone has done the following: 1. I want to check the username/password against LDAP/AD instead of directly towards etc/passwd. Configure the LDAP module. See the various howto's. 2. After that I would like to continue by fetching the user's default group from the Solaris 10 system (/etc/passwd) to give it rights depending on which group the user belongs to. You don't have to change anything in your current configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 satish patel wrote: I am going to installed freeradius with ldap but my problem is i m confused about ldap and chap i want impement VPDN and users authenticate through ldap so CHAP will work or not how can i configure ldif file for users where i will define attributes is there any site regarding ldap with freeradius Does the LDAP database contains the clear-text password? Unless it does, ou can't use CHAP for authentication. Use PAP if you don't. Active Directory allows to do MS-CHAPv2 against the system. - -- == +-+ Martin Gadbois | Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGB8Hh9Y3/iTTCEDkRArbyAJwMIzOdiGM1qHOooQdBXYL1ZriFdQCfXcc5 ozhgEpnACt1/C+zQf6cJ5NY= =mmGa -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.4 + LDAP + PEAP/mschapv2
Baptiste Delporte wrote: Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid LM-Password Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid NT-Password That happens only when an LM-Password and NT-Password are added for the user, AND where they're not the right format. /Authentication works perfectly with the same config files (eap.conf, radiusd.conf,users...) with an older version (1.0.1 and even 1.1.3) of freeradius on the same server. Run the server in debugging mode in 1.1.3, and in 1.1.4. See what's different. The PAP module changed in 1.1.4, but I don't see why it would break MSCHAP. In both cases, I get this line when I run freeradius in debug mode : /rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. That happens if there's no way to authenticate the user. But it shouldn't result in the above messages from the mschap module. /And I can't find if there's a link between that warning and the authentication failure for some of my users. Perhaps you could try posting the whole debug output, rather than tiny pieces. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and LDAP
Sundaram Divya-QDIVYA1 wrote: What I need to understand is how to integrate FreeRADIUS with an LDAP Server without exposing the (crypted) password hashes. Any pointers on what I need to do for that? Bind as the LDAP user. PAP will work, nothing else will. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : FreeRadius and LDAP
-Message d'origine- De : [EMAIL PROTECTED] radius.org [mailto:[EMAIL PROTECTED] sts.freeradius.org] De la part de Sundaram Divya-QDIVYA1 Envoyé : jeudi 30 novembre 2006 23:51 À : freeradius-users@lists.freeradius.org Objet : FreeRadius and LDAP We don't use openldap or eDirectory - which is what the docs are Derived from. This shouldn't be an issue if your directory is really Ldap compliant. The information for FreeRADIUS and LDAP seems to suggest that I need to provide access to the LDAP server's password to the service account that the FreeRADIUS Server uses. This is often required, but not always: if you are using an authentication protocol that transmits the password in cleatext to the radius server (such as PAP), you can avoid this. What I need to understand is how to integrate FreeRADIUS with an LDAP Server without exposing the (crypted) password hashes. Any pointers on what I need to do for that? * Enable the ldap module in the authorize section (so that Auth-Type is set to LDAP [FR = 1.1.3]) * if you are running FR = 1.1.3 then you'll have to set Auth-Type = LDAP manually (see the users file from rlm_files or the rlm_sql module) * Enable the ldap module in the authenticate section as well (so that a simple ldap bind authentication is performed) * In the ldap configuration section, you can use an LDAP account that do not have read access to the userPassword attribute BUT === Remember that this is NOT compatible with a lot of authentication protocols (MSCHAP, CHAP, PEAP, ...). It is working for PAP and EAP-TTLS/PAP. HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 802.11x + ldap
Good morning, I send this email because I don't found my error about freeradius + ldap. I thinhk, I have an error of the userPassword. You can see the output of radiusd -X : Thanks for your help. Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /etc/raddb/clients.confConfig: including file: /etc/raddb/snmp.confConfig: including file: /etc/raddb/eap.confConfig: including file: /etc/raddb/sql.confmain: prefix = "/usr"main: localstatedir = "/var"main: logdir = "/var/log/radius"main: libdir = "/usr/lib"main: radacctdir = "/var/log/radius/radacct"main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = yesmain: log_file = "/var/log/radius/radius.log"main: log_auth = yesmain: log_auth_badpass = yesmain: log_auth_goodpass = yesmain: pidfile = "/var/run/radiusd/radiusd.pid"main: user = "radiusd"main: group = "radiusd"main: usercollide = nomain: lower_user = "no"main: lower_pass = "no"main: nospace_user = "no"main: nospace_pass = "no"main: checkrad = "/usr/sbin/checkrad"main: proxy_requests = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/libModule: Loaded exec exec: wait = yesexec: program = "(null)"exec: input_pairs = "request"exec: output_pairs = "(null)"exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded System unix: cache = nounix: passwd = "(null)"unix: shadow = "/etc/shadow"unix: group = "(null)"unix: radwtmp = "/var/log/radius/radwtmp"unix: usegroup = nounix: cache_reload = 600Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "10.49.0.101"ldap: port = 389ldap: net_timeout = 1ldap: timeout = 4ldap: timelimit = 3ldap: identity = "cn=adminlp,o=crt"ldap: tls_mode = noldap: start_tls = noldap: tls_cacertfile = "(null)"ldap: tls_cacertdir = "(null)"ldap: tls_certfile = "(null)"ldap: tls_keyfile = "(null)"ldap: tls_randfile = "(null)"ldap: tls_require_cert = "allow"ldap: password = "azerty"ldap: basedn = "o=crt"ldap: filter = "((objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"ldap: base_filter = "(objectclass=radiusprofile)"ldap: default_profile = "(null)"ldap: profile_attribute = "(null)"ldap: password_header = "(null)"ldap: password_attribute = "(null)"ldap: access_attr = "(null)"ldap: groupname_attribute = "cn"ldap: groupmembership_filter = "(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"ldap: groupmembership_attribute = "(null)"ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"ldap: ldap_debug = 0ldap: ldap_connections_number = 5ldap: compare_check_items = noldap: access_attr_used_for_allow = yesldap: do_xlat = yesrlm_ldap: Registering ldap_groupcmp for Ldap-Grouprlm_ldap: Registering ldap_xlat with xlat_name ldaprlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmaprlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Typerlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Userlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Idrlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Idrlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXTrlm_ldap: LDAP radiusExpiration mapped to RADIUS Expirationrlm_ldap: LDAP radiusVSA mapped to RADIUS Symbol-SSIDrlm_ldap: LDAP userPassword mapped to RADIUS User-Passwordrlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Typerlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocolrlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Addressrlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmaskrlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Routerlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routingrlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Idrlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTUrlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compressionrlm_ldap: LDAP
Re: Freeradius and LDAP : to be continued
Phil Mayers wrote: Christophe Gravier wrote: My password are not stored in LDAP in clear text but hashed using SHA algorythm, so this won't work ;-( Ok, let's take a breath. First things first: If your passwords are in SHA (which they are) your Radius server will ONLY be able to answer PAP requests. The very first log you sent in this thread indicates you have ChilliSpot set to use CHAP: rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. '''Cannot use CHAP-Password''' - indicates the request (from ChilliSpot) came in with CHAP credentials. First, fix that. See here: http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html Next, since you have SHA passwords and can only answer PAP, you have two choices: 1. Extract the SHA password and add it to the config items, then configure the Radius servers PAP module to check it: modules { pap { encryption_scheme = sha1 } ldap { # settings go here } } authorize { preprocess ldap } authenticate { Auth-Type PAP { pap } } HOWEVER - this may not work. The SHA that your LDAP server uses may be slightly different (salting, keying) than the SHA FreeRadius uses. Much more likely to trip you up though, is when ldap matches in authorize, it will set Auth-Type = LDAP, so you either need to disable that or otherwise make it work and there are about 6 different ways of doing that. The most obvious would be to replace the above with: modules { as before } authorize { as before } authenticate { Auth-Type LDAP { pap } } I want to make set Auth-Type = LDAP working by making this Auth-Type use the pap configuration. (correct me If I'm wrong). I followed what you advises: - configure chilli uamsecret and uampassword) - put pap configuration in module section - check ldap configration in module - put ldap in authorize - put Auth-Type LDAP { pap } in authentificate. Now things got through pap indeed, but I'm told: rlm_pap: No password (or empty password) to check against for for user gravier.christophe I think I totally misunderstand your sentence: Extract the SHA password and add it to the config items. I thought it means to add the mapping checkItem User-Password userPassword in ldap.attrmap (where userPassword is my attribute for SHA password). As it didn't work I used the password_attribute conf entry in ldap configuration (module section), but as I expected it has the same consequence. Could you please, be more precise about the extraction of SHA password ? Is there an additional conf entry for pap in module section ? Here is the complete trace: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: checking if remote access for gravier.christophe is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = gravier.christophe, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 158 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by gravier.christophe with password here the trace prints my password in plain text, normal ? rlm_pap: No password (or empty password) to check against for for user gravier.christophe modcall[authenticate]: module pap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 But it might not work. Alternatively and probably simpler (but less formally correct) is the 2nd method: 2. Configure the LDAP module to find the user, set Auth-Type==LDAP then authenticate the user via simple bind: authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } ...and assuming the ldap
Re: Freeradius and LDAP : to be continued
Christophe Gravier wrote: Phil Mayers wrote: Christophe Gravier wrote: My password are not stored in LDAP in clear text but hashed using SHA algorythm, so this won't work ;-( Ok, let's take a breath. First things first: If your passwords are in SHA (which they are) your Radius server will ONLY be able to answer PAP requests. The very first log you sent in this thread indicates you have ChilliSpot set to use CHAP: rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. '''Cannot use CHAP-Password''' - indicates the request (from ChilliSpot) came in with CHAP credentials. First, fix that. See here: http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html Next, since you have SHA passwords and can only answer PAP, you have two choices: 1. Extract the SHA password and add it to the config items, then configure the Radius servers PAP module to check it: modules { pap { encryption_scheme = sha1 } ldap { # settings go here } } authorize { preprocess ldap } authenticate { Auth-Type PAP { pap } } HOWEVER - this may not work. The SHA that your LDAP server uses may be slightly different (salting, keying) than the SHA FreeRadius uses. Much more likely to trip you up though, is when ldap matches in authorize, it will set Auth-Type = LDAP, so you either need to disable that or otherwise make it work and there are about 6 different ways of doing that. The most obvious would be to replace the above with: modules { as before } authorize { as before } authenticate { Auth-Type LDAP { pap } } I want to make set Auth-Type = LDAP working by making this Auth-Type use the pap configuration. (correct me If I'm wrong). I followed what you advises: - configure chilli uamsecret and uampassword) - put pap configuration in module section - check ldap configration in module - put ldap in authorize - put Auth-Type LDAP { pap } in authentificate. Now things got through pap indeed, but I'm told: rlm_pap: No password (or empty password) to check against for for user gravier.christophe I think I totally misunderstand your sentence: Extract the SHA password and add it to the config items. I thought it means to add the mapping checkItem User-Password userPassword in ldap.attrmap (where userPassword is my attribute for SHA password). As it didn't work I used the password_attribute conf entry in ldap configuration (module section), but as I expected it has the same consequence. Could you please, be more precise about the extraction of SHA password ? Is there an additional conf entry for pap in module section ? Here is the complete trace: rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: checking if remote access for gravier.christophe is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = gravier.christophe, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 158 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_pap: login attempt by gravier.christophe with password here the trace prints my password in plain text, normal ? rlm_pap: No password (or empty password) to check against for for user gravier.christophe modcall[authenticate]: module pap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 But it might not work. Alternatively and probably simpler (but less formally correct) is the 2nd method: 2. Configure the LDAP module to find the user, set Auth-Type==LDAP then authenticate the user via simple bind: authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap }
Re: Freeradius and LDAP : to be continued
Christophe Gravier wrote: Alan DeKok wrote: [EMAIL PROTECTED] wrote: rlm_ldap: Adding userPassword as User-Password, value { op=11 That's better. modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP Yuck. My quick answer is to edit rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. Indeed, I have no rlm-ldap.so ;-( (I did apt-get install freeradius-ldap on my debian box ...) Whaou, I was so kind of tired (or in a hurry). I of course mean : I have no rlm_ldap.c ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Alan DeKok wrote: [EMAIL PROTECTED] wrote: rlm_ldap: Adding userPassword as User-Password, value { op=11 That's better. modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP Yuck. My quick answer is to edit rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. Interesting. I mentioned this to another querier the other day: http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html What then would the authenticate section look like to use LDAP? Presumably something like: authenticate { Auth-Type PAP { ldap } } ...but of course then you get into what happens if you want 2 different services in the same server, such as: authenticate { Auth-Type PAP-service1 { ldap1 } Auth-Type PAP-service2 { ldap2 } Auth-Type MSCHAP-service1 { mschap1 } Auth-Type MSCHAP-service2 { mschap2 } } ...etc. - nasty. Is it possible to do: authenticate { Huntgroup Service1 { Auth-Type PAP { ldap1 } Auth-Type MSCHAP { mschap1 } } Huntgroup Service2 { Auth-Type PAP { ldap2 } Auth-Type MSCHAP { mschap2 } } } ...although Realm might make more sense than Huntgroup in understanding what I mean. There's also the possibility of wanting to use fallback: authenticate { Auth-Type PAP { ldap pap } } ...although I'm pretty sure you can do that with configurable failover and the above syntax is wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Phil Mayers wrote: Alan DeKok wrote: [EMAIL PROTECTED] wrote: rlm_ldap: Adding userPassword as User-Password, value { op=11 That's better. modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP Yuck. My quick answer is to edit rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. Interesting. I mentioned this to another querier the other day: http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html Ar. You lost me. Still not working. I can't imagine I'm unable to make freeradius uses LDAP password without hacking it :-/ What then would the authenticate section look like to use LDAP? Presumably something like: authenticate { Auth-Type PAP { ldap } } ...but of course then you get into what happens if you want 2 different services in the same server, such as: authenticate { Auth-Type PAP-service1 { ldap1 } Auth-Type PAP-service2 { ldap2 } Auth-Type MSCHAP-service1 { mschap1 } Auth-Type MSCHAP-service2 { mschap2 } } ...etc. - nasty. Is it possible to do: authenticate { Huntgroup Service1 { Auth-Type PAP { ldap1 } Auth-Type MSCHAP { mschap1 } } Huntgroup Service2 { Auth-Type PAP { ldap2 } Auth-Type MSCHAP { mschap2 } } } ...although Realm might make more sense than Huntgroup in understanding what I mean. There's also the possibility of wanting to use fallback: authenticate { Auth-Type PAP { ldap pap } } ...although I'm pretty sure you can do that with configurable failover and the above syntax is wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and LDAP : to be continued
Hello, I must admit, I have been reading this thread, but I still do not understand what Christophe is trying to accomplish. As far as I understand - you have your passwords in LDAP, and you only ( kind of ) need to authorize but NOT authenticate users that are in your LDAP directory.. Please correct me... Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christophe Gravier Sent: Donnerstag, 15. Dezember 2005 16:05 To: FreeRadius users mailing list Subject: Re: Freeradius and LDAP : to be continued Phil Mayers wrote: Alan DeKok wrote: [EMAIL PROTECTED] wrote: rlm_ldap: Adding userPassword as User-Password, value { op=11 That's better. modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP Yuck. My quick answer is to edit rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. Interesting. I mentioned this to another querier the other day: http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221. html Ar. You lost me. Still not working. I can't imagine I'm unable to make freeradius uses LDAP password without hacking it :-/ What then would the authenticate section look like to use LDAP? Presumably something like: authenticate { Auth-Type PAP { ldap } } ...but of course then you get into what happens if you want 2 different services in the same server, such as: authenticate { Auth-Type PAP-service1 { ldap1 } Auth-Type PAP-service2 { ldap2 } Auth-Type MSCHAP-service1 { mschap1 } Auth-Type MSCHAP-service2 { mschap2 } } ...etc. - nasty. Is it possible to do: authenticate { Huntgroup Service1 { Auth-Type PAP { ldap1 } Auth-Type MSCHAP { mschap1 } } Huntgroup Service2 { Auth-Type PAP { ldap2 } Auth-Type MSCHAP { mschap2 } } } ...although Realm might make more sense than Huntgroup in understanding what I mean. There's also the possibility of wanting to use fallback: authenticate { Auth-Type PAP { ldap pap } } ...although I'm pretty sure you can do that with configurable failover and the above syntax is wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Hello Edvin, First, I received my email posted to the list several times in my mail client. I higly hope this is not the case for all you ! (if it is, thunderbird didn't like to switch from the testing wireless network back to cable and vice versa, since they're all dated to the same hour) If you received only one mail, it is OK, just forget what I told ;-) For what I am trying to do: I have an existing LDAP directory with all users being able to connect to the wireless area. The hotspot architecture is : client - chillispot (login page served with apache2 + ssl) - freeradius - ldap. I just want my ldap users being able to connect to the hotspot. So, *at first*, I edited the conf file to let users be authenticate via LDAP. This way, radtest way just OK but not ChilliSpot. When I report it to the list, asking how radtest is different to chillispot login, Alan explained me: You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the ldap entry from the authenticate section. Get radtest to work. Once that works, Chillispot will work, too. So I remove ldap from authentificate (I let it in authorize section thgouh). But it still doesn't solve the problem. In the end, Alan proposed to hack rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. I just find it dirty to hack the radius then recompile to get ldap support :-( If you're using LDAP for your users accessing the hotspot, would you please tell me how you achieve this ? Best Regards, Seferovic Edvin wrote: Hello, I must admit, I have been reading this thread, but I still do not understand what Christophe is trying to accomplish. As far as I understand - you have your passwords in LDAP, and you only ( kind of ) need to authorize but NOT authenticate users that are in your LDAP directory.. Please correct me... Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christophe Gravier Sent: Donnerstag, 15. Dezember 2005 16:05 To: FreeRadius users mailing list Subject: Re: Freeradius and LDAP : to be continued Phil Mayers wrote: Alan DeKok wrote: [EMAIL PROTECTED] wrote: rlm_ldap: Adding userPassword as User-Password, value { op=11 That's better. modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP Yuck. My quick answer is to edit rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. Interesting. I mentioned this to another querier the other day: http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221. html Ar. You lost me. Still not working. I can't imagine I'm unable to make freeradius uses LDAP password without hacking it :-/ What then would the authenticate section look like to use LDAP? Presumably something like: authenticate { Auth-Type PAP { ldap } } ...but of course then you get into what happens if you want 2 different services in the same server, such as: authenticate { Auth-Type PAP-service1 { ldap1 } Auth-Type PAP-service2 { ldap2 } Auth-Type MSCHAP-service1 { mschap1 } Auth-Type MSCHAP-service2 { mschap2 } } ...etc. - nasty. Is it possible to do: authenticate { Huntgroup Service1 { Auth-Type PAP { ldap1 } Auth-Type MSCHAP { mschap1 } } Huntgroup Service2 { Auth-Type PAP { ldap2 } Auth-Type MSCHAP { mschap2 } } } ...although Realm might make more sense than Huntgroup in understanding what I mean. There's also the possibility of wanting to use fallback: authenticate { Auth-Type PAP { ldap pap } } ...although I'm pretty sure you can do that with configurable failover and the above syntax is wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and LDAP : to be continued
Hi, rather confusing. I have to admit, I have never used chillispot, but I've just visited their website and in FAQ I found Why should I use CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as authorisation, but as a password storage. Okay - great.. what now? When you look at your radiusd.conf file there is a part where you can define your LDAP server etc.. ldap ldap_users { server = 81.xx # identity = cn=admin,o=My Org,c=UA # password = mypass basedn = ou=People,dc=xxx,dc=xx filter = ((objectClass=posixAccount)(uid=%u)) start_tls = no .. # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 # password_header = {clear} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } I hope you have that right ( this is only a part of my working config ). Next, what Alan said is to change the authorisation part. As I said - chillispot aparently wants CHAP, so in following section use CHAP authorize { # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set Chap # here you can also have ldap_users # for radtest to work ( IMHO it should be like this ) } And in authenticate { # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap ldap_users } } As it says in authenticate section - passwords in LDAP should be in clear text... Try this out. I cannot promise you that it will work, but it is the same way I have set up my POPTOP server with MS-CHAP, and it works.. I would also appreciate some guru to take a look at this and publish his opinion about this on this list ;) Kind regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christophe Gravier Sent: Donnerstag, 15. Dezember 2005 16:41 To: FreeRadius users mailing list Subject: Re: Freeradius and LDAP : to be continued Hello Edvin, First, I received my email posted to the list several times in my mail client. I higly hope this is not the case for all you ! (if it is, thunderbird didn't like to switch from the testing wireless network back to cable and vice versa, since they're all dated to the same hour) If you received only one mail, it is OK, just forget what I told ;-) For what I am trying to do: I have an existing LDAP directory with all users being able to connect to the wireless area. The hotspot architecture is : client - chillispot (login page served with apache2 + ssl) - freeradius - ldap. I just want my ldap users being able to connect to the hotspot. So, *at first*, I edited the conf file to let users be authenticate via LDAP. This way, radtest way just OK but not ChilliSpot. When I report it to the list, asking how radtest is different to chillispot login, Alan explained me: You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the ldap entry from the authenticate section. Get radtest to work. Once that works, Chillispot will work, too. So I remove ldap from authentificate (I let it in authorize section thgouh). But it still doesn't solve the problem. In the end, Alan proposed to hack rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. I just find it dirty to hack the radius then recompile to get ldap support :-( If you're using LDAP for your users accessing the hotspot, would you please tell me how you achieve this ? Best Regards, Seferovic Edvin wrote: Hello, I must admit, I have been reading this thread, but I still do not understand what Christophe is trying to accomplish. As far as I understand - you have your passwords in LDAP, and you only ( kind of ) need to authorize but NOT authenticate users that are in your LDAP directory.. Please correct me... Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christophe Gravier Sent: Donnerstag, 15. Dezember 2005 16:05 To: FreeRadius users mailing list Subject: Re: Freeradius and LDAP : to be continued Phil Mayers wrote: Alan DeKok wrote: [EMAIL PROTECTED] wrote: rlm_ldap: Adding userPassword as User-Password, value { op
Re: Freeradius and LDAP : to be continued
rather confusing. I have to admit, I have never used chillispot, but I've just visited their website and in FAQ I found Why should I use CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as authorisation, but as a password storage. Okay - great.. what now? You can setup chillispot to use PAP too. see the documentation about uamsecret. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Seferovic Edvin wrote: Hi, rather confusing. I have to admit, I have never used chillispot, but I've just visited their website and in FAQ I found Why should I use CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as authorisation, but as a password storage. Okay - great.. what now? This is really good summary of the situation ;-) When you look at your radiusd.conf file there is a part where you can define your LDAP server etc.. ldap ldap_users { server = 81.xx # identity = cn=admin,o=My Org,c=UA # password = mypass basedn = ou=People,dc=xxx,dc=xx filter = ((objectClass=posixAccount)(uid=%u)) start_tls = no .. # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 10 # password_header = {clear} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } I hope you have that right ( this is only a part of my working config ). I have : ldap { server = my.server.name.here basedn = ou=person,o=istase,c=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } I think this shall be rather good since I can see it searching in ldap log if I launch slapd in debug mode. (nentries = 1 : OK, it founds my userPassword using this filter -my filter seems different from yours). Also, the User-Password-userPassword mapping is done in ldap.attrmap in my case. Next, what Alan said is to change the authorisation part. As I said - chillispot aparently wants CHAP, so in following section use CHAP authorize { # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set Chap # here you can also have ldap_users # for radtest to work ( IMHO it should be like this ) } And in authenticate { # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap ldap_users } } As it says in authenticate section - passwords in LDAP should be in clear text... My password are not stored in LDAP in clear text but hashed using SHA algorythm, so this won't work ;-( Try this out. I cannot promise you that it will work, but it is the same way I have set up my POPTOP server with MS-CHAP, and it works.. I would also appreciate some guru to take a look at this and publish his opinion about this on this list ;) Kind regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christophe Gravier Sent: Donnerstag, 15. Dezember 2005 16:41 To: FreeRadius users mailing list Subject: Re: Freeradius and LDAP : to be continued Hello Edvin, First, I received my email posted to the list several times in my mail client. I higly hope this is not the case for all you ! (if it is, thunderbird didn't like to switch from the testing wireless network back to cable and vice versa, since they're all dated to the same hour) If you received only one mail, it is OK, just forget what I told ;-) For what I am trying to do: I have an existing LDAP directory with all users being able to connect to the wireless area. The hotspot architecture is : client - chillispot (login page served with apache2 + ssl) - freeradius - ldap. I just want my ldap users being able to connect to the hotspot. So, *at first*, I edited the conf file to let users be authenticate via LDAP. This way, radtest way just OK but not ChilliSpot. When I report it to the list, asking how radtest is different to chillispot login, Alan explained me: You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the ldap entry from the authenticate section. Get radtest to work. Once that works, Chillispot will work, too. So I remove ldap from authentificate (I let it in authorize section thgouh). But it still doesn't solve the problem. In the end, Alan proposed to hack rlm_ldap.c to have it *never* set Auth-Type to LDAP. That would solve a lot of problems. I just find it dirty to hack the radius then recompile to get
Re: Freeradius and LDAP : to be continued
Hello I have a chillispot that works with OpenLDAP on a Debian box here are the modifications in radiusd.conf I wrote # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = your.ldap.server basedn = ou=Person,dc=domain,dc= #filter = (posixAccount)(uid=%u)) filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) access_attr = uid # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 hope this helps -- Cordialement Frank Bonnet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Frank Bonnet wrote: Hello I have a chillispot that works with OpenLDAP on a Debian box Strictly the same thing I want to achieve indeed ! ;-) How are your password in your LDAP ? (clear ? hash form ?) Moreover, except this configuration of the ldap remote server, what did you put in authorize and authentificate section ? What did you put in the ldap.attrmap, only the mapping of the user password ? I must admit I am loosing my common sense here :-) here are the modifications in radiusd.conf I wrote # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap { server = your.ldap.server basedn = ou=Person,dc=domain,dc= #filter = (posixAccount)(uid=%u)) filter = (uid=%{Stripped-User-Name:-%{User-Name}}) # base_filter = (objectclass=radiusprofile) access_attr = uid # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 hope this helps -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier wrote: My password are not stored in LDAP in clear text but hashed using SHA algorythm, so this won't work ;-( Ok, let's take a breath. First things first: If your passwords are in SHA (which they are) your Radius server will ONLY be able to answer PAP requests. The very first log you sent in this thread indicates you have ChilliSpot set to use CHAP: rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. '''Cannot use CHAP-Password''' - indicates the request (from ChilliSpot) came in with CHAP credentials. First, fix that. See here: http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html Next, since you have SHA passwords and can only answer PAP, you have two choices: 1. Extract the SHA password and add it to the config items, then configure the Radius servers PAP module to check it: modules { pap { encryption_scheme = sha1 } ldap { # settings go here } } authorize { preprocess ldap } authenticate { Auth-Type PAP { pap } } HOWEVER - this may not work. The SHA that your LDAP server uses may be slightly different (salting, keying) than the SHA FreeRadius uses. Much more likely to trip you up though, is when ldap matches in authorize, it will set Auth-Type = LDAP, so you either need to disable that or otherwise make it work and there are about 6 different ways of doing that. The most obvious would be to replace the above with: modules { as before } authorize { as before } authenticate { Auth-Type LDAP { pap } } But it might not work. Alternatively and probably simpler (but less formally correct) is the 2nd method: 2. Configure the LDAP module to find the user, set Auth-Type==LDAP then authenticate the user via simple bind: authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } ...and assuming the ldap modules is setup correctly, what will happen is: A. authorize called 1. preprocess called 2. suffix realm called - no-op probably 3. files called - no-op probably but DO NOT SET Auth-Type 4. ldap called - search succeeds, and Ldap-UserDN is set, and Auth-Type set to LDAP B. authenticate called 1. Auth-Type == LDAP, so ldap called and simple bind performed And it WILL WORK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier wrote: My password are not stored in LDAP in clear text but hashed using SHA algorythm, so this won't work ;-( Ok, let's take a breath. Yes, I agree, that's why I quit for today ;-) First things first: If your passwords are in SHA (which they are) your Radius server will ONLY be able to answer PAP requests. H that's explain why I'll never make it with CHAP. I thought it would be able to get the plain text password, then use SHA to match it against ldap... But it seems PAP is required to do that (regarding your method 1.) The very first log you sent in this thread indicates you have ChilliSpot set to use CHAP: rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. '''Cannot use CHAP-Password''' - indicates the request (from ChilliSpot) came in with CHAP credentials. First, fix that. See here: http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html First thing I'll do back to work. Next, since you have SHA passwords and can only answer PAP, you have two choices: 1. Extract the SHA password and add it to the config items, then configure the Radius servers PAP module to check it: modules { pap { encryption_scheme = sha1 } ldap { # settings go here } } authorize { preprocess ldap } authenticate { Auth-Type PAP { pap } } HOWEVER - this may not work. The SHA that your LDAP server uses may be slightly different (salting, keying) than the SHA FreeRadius uses. Much more likely to trip you up though, is when ldap matches in authorize, it will set Auth-Type = LDAP, so you either need to disable that or otherwise make it work and there are about 6 different ways of doing that. The most obvious would be to replace the above with: modules { as before } authorize { as before } authenticate { Auth-Type LDAP { pap } } But it might not work. Alternatively and probably simpler (but less formally correct) is the 2nd method: 2. Configure the LDAP module to find the user, set Auth-Type==LDAP then authenticate the user via simple bind: authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } ...and assuming the ldap modules is setup correctly, what will happen is: A. authorize called 1. preprocess called 2. suffix realm called - no-op probably 3. files called - no-op probably but DO NOT SET Auth-Type 4. ldap called - search succeeds, and Ldap-UserDN is set, and Auth-Type set to LDAP B. authenticate called 1. Auth-Type == LDAP, so ldap called and simple bind performed And it WILL WORK. Thank you a lot, things getting a little more clearer now. I will try these settings tomorrow morning, from method 1 and then method 2. I am really thankfull to the quality of your answer and the time you spent to write it down. Cheers, Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Phil Mayers [EMAIL PROTECTED] wrote: Ok, let's take a breath. First things first: ... Could this be a Wiki page? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier [EMAIL PROTECTED] wrote: auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the ldap entry from the authenticate section. Get radtest to work. Once that works, Chillispot will work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Alan DeKok wrote: Christophe Gravier [EMAIL PROTECTED] wrote: auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. Cannot use CHAP-Password. You're using LDAP as an authentication server. Don't do that. Use LDAP to store passwords. i.e. remove the ldap entry from the authenticate section. Get radtest to work. Once that works, Chillispot will work, too. Alan DeKok. That makes sense indeed. Removing the ldap entry, radtest no longer works of course. But as you already said there : http://lists.cistron.nl/pipermail/freeradius-users/2004-October/037625.html and there: http://lists.cistron.nl/pipermail/freeradius-users/2004-September/036629.html : List ldap in the authorize section. It's already there, just un-comment it. And DON'T set Aut-Type := LDAP. So I did # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap and comment set Aut-Type := LDAP But it's just not working ! The trace interesting: [...] rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = gravier.christophe, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 157 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for gravier.christophe radius_xlat: '(uid=gravier.christophe)' radius_xlat: 'ou=person,o=istase,c=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 [...] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Christophe Gravier Laboratoire DIOM, groupe SATIn - Doctorant ISTASE - Ingénieur d'études Perso: http://perso.univ-st-etienne.fr/gravchri/ SATIn: http://www.istase.com/satin Tel : 04 7748 5034 A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier [EMAIL PROTECTED]wrote: Removing the ldap entry, radtest no longer works of course. Did you put ldap in the authorize section? That would allow radtest to work, as I said. rlm_ldap: looking for check items in directory... Can you say which LDAP server you're using? It is NOT returning the User-Password attribute. My previous message said that the goal was for the ldap module to return the password in the authorize section. Make that work. radtest will work, and then everything else will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
Christophe Gravier [EMAIL PROTECTED]wrote: Removing the ldap entry, radtest no longer works of course. Did you put ldap in the authorize section? That would allow radtest to work, as I said. Yes, I did like we said: - did put ldap (it was already indeed) in authorize section. - did remove ldap from authenticate (since ldap will only be a password storage). rlm_ldap: looking for check items in directory... Can you say which LDAP server you're using? ist-guizay:/root# /usr/sbin/slapd -V @(#) $OpenLDAP: slapd 2.2.26 (Oct 31 2005 09:10:53) $ This is slapd package on current debian testing tree. This is a v3 openldap server, if I am right. If I make slapd log things and then observe I've got on a freeradius request: Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 fd=10 ACCEPT from IP=161.3.50.125:1490 (IP=0.0.0.0:389)Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 BIND dn= method=128 Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=0 RESULT tag=97 err=0 text=Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH base=ou=person,o=istase,c=fr scope=2 deref=0 filter=(uid=gravier.christophe)Dec 14 21:48:03 ist-guizay slapd[31741]: conn=2 op=1 SRCH attr=radiusExpiration acctFlags ntPassword lmPassword radiusCallingStationId radiusCalledStationId radiusSimultaneousUse eap userPassword radiusCheckItem radiusLoginLATPort radiusPortLimit radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPasswordDec 14 21:50:47 ist-guizay slapd[31741]: = bdb_equality_candidates: (uid) index_param failed (18)Dec 14 21:50:47 ist-guizay slapd[31741]: conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Whaou .. person doesn't have all those attributes on my schema. (note that this search got a result: nentries = 1 !) I edited /etc/freeradius/ldap.attr, so that now the trace is a little more correct: Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH base=ou=person,o=istase,c=fr scope=2 deref=0 filter=(uid=gravier.christophe)Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SRCH attr=userPassword Dec 14 21:55:27 ist-guizay slapd[31741]: = bdb_equality_candidates: (uid) index_param failed (18)Dec 14 21:55:27 ist-guizay slapd[31741]: conn=76 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= (please ignore the bdb_equality_candidates). I thought this has to do with the policy regarding access to userPassword field, so I gave full rights for a test via slapd.access.con: still not good. (that sounds ok since if it was a read/write/search/auth problem, I would had seen it in the slapd logging). I think it is OK with ldap because nentries = 1 for the search (it finnds me). The problem should be for freeradius to use that password to match it against the one given by the user. For autorize and authenticate I have: authorize { preprocess chap mschap suffix files ldap } authenticate { Auth-Type PAP { pap } unix eap } As I said, I think this is freeradius related since openldap log that it finds the userPassword for the given user and scope. But I can't set freeradius in a more verbose mode to understand the problem. I still receive: (...) rlm_ldap: - authorize rlm_ldap: performing user authorization for gravier.christophe radius_xlat: '(uid=gravier.christophe)' radius_xlat: 'ou=person,o=istase,c=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0 rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter (uid=gravier.christophe)rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding userPassword as User-Password, value { op=11 rlm_ldap: user gravier.christophe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.auth: Failed to validate the user. When running /usr/sbin/freeradius -X -f It is NOT returning the User-Password attribute. My previous message said that the goal was for the ldap module to return the password in the authorize section. Make that work. radtest will work, and then everything else will
Re: freeradius 1.0.4 ldap compilation
Le 4 juil. 05 à 17:54, Alan DeKok a écrit : Marc-Henri Boisis-delavaud [EMAIL PROTECTED] wrote: /opt/freeradius/distrib.freeradius-1.0.4/src/modules/rlm_ldap/ rlm_ldap.c:2181: undefined reference to `ldap_unbind_s' Hmm... it looks like your version of OpenLDAP doesn't have the functions needed by FreeRADIUS. Or, the LDAP libraries aren't being found at compile-time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Do you preconise openldap 2.2.26 or 2.3.4 and with what options ? Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 ldap compilation
Marc-Henri Boisis-Delavaud [EMAIL PROTECTED] wrote: And what is the version of openldap recomended by freeradius ? Most versions should work. My guess is that the LDAP libraries are in a non-standard place, where your linker can't find them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 ldap compilation
Marc-Henri Boisis-delavaud [EMAIL PROTECTED] wrote: /opt/freeradius/distrib.freeradius-1.0.4/src/modules/rlm_ldap/ rlm_ldap.c:2181: undefined reference to `ldap_unbind_s' Hmm... it looks like your version of OpenLDAP doesn't have the functions needed by FreeRADIUS. Or, the LDAP libraries aren't being found at compile-time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 ldap compilation
Alan DeKok wrote: Marc-Henri Boisis-delavaud [EMAIL PROTECTED] wrote: /opt/freeradius/distrib.freeradius-1.0.4/src/modules/rlm_ldap/ rlm_ldap.c:2181: undefined reference to `ldap_unbind_s' Hmm... it looks like your version of OpenLDAP doesn't have the functions needed by FreeRADIUS. Or, the LDAP libraries aren't being found at compile-time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And what is the version of openldap recomended by freeradius ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP-V2
Frank Bonnet wrote: I am setting up a chillispot server to manage our future WiFi network and I wonder if the schemas given with the lastest freeradius ditribution as it is marqued for LDAP-v3 are OK for LDAP-v2 ? We actually use LDAP v2 ( openldap 2.0.27 ) as centralized auth system and we do not plan to upgrade to v3 since several monthes. Yes. OpenLDAP 2.x support LDAPv3 specification. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP-V2
Le Jeudi 21 Avril 2005 07:53, Frank Bonnet a écrit : Hello I'm new to the list :-) I am setting up a chillispot server to manage our future WiFi network and I wonder if the schemas given with the lastest freeradius ditribution as it is marqued for LDAP-v3 are OK for LDAP-v2 ? We actually use LDAP v2 ( openldap 2.0.27 ) as centralized auth system and we do not plan to upgrade to v3 since several monthes. Any infos,tricks welcome, thanks a lot. Remember to still have support for LDAPv2 in OpenLDAP 2.1+, many apps does not support it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP
Thomas Simmons wrote: passwords must be encrypted even when sent inside our LAN. I would like to use mschap v2, but it seems that it will not work with LDAP, is this correct? If I cannot use mschap v2, is there another way to encrypt the passwords or use some sort of challenge authentication? You can use mschapv2 if you're having NT hash password (in sambaNTPassword attribute) -- --beast - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and LDAP
Thomas Simmons [EMAIL PROTECTED] wrote: When using PAP, the password is sent in clear text. Sent in what protocol? RADIUS does no such thing. The password is sent through the VPN to the firewall, so it's never exposed to the internet but passwords must be encrypted even when sent inside our LAN. RADIUS does that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with LDAP
dbx is your friend... But check to see that the ldap module actually built... unless you've got things installed in the default places, it can take a little work to get the ldap module to compile on Solaris... José Berenguer wrote: Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the radiusd.conf and users files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius with LDAP
Rlm_ldap needs some openldap libraries to compile well on solaris. One solution is to install OpenLDAP even if you use Sun LDAP. This way the module will compile. Regards, -- Sebastien Cantos [EMAIL PROTECTED] Network / System Manager Neopost DIVA -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Michael Mitchell Envoyé : vendredi 18 février 2005 13:30 À : freeradius-users@lists.freeradius.org Objet : Re: FreeRadius with LDAP dbx is your friend... But check to see that the ldap module actually built... unless you've got things installed in the default places, it can take a little work to get the ldap module to compile on Solaris... José Berenguer wrote: Hello! We are trying to authenticate the last version of freeradius (1.0.1) in Solaris 9 against LDAP and we are always getting the same error when we try to start radius with the command: /usr/local/sbin/radiusd -S -X You can view the radiusd.conf and users files, and the error we get is this: Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Segmentation Fault Anyone can help us? Thanks very much! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP
On Fri, 18 Feb 2005, E L wrote: I'm new to LDAP and Freeradius. I'm trying to find out if there is a way to configure Freeradius to get information from the LDAP database and assign it to one of the radius atributes(like Framed-IP-Address and Framed-IP-Netmask) for a uids that have any of that information in the LDAP database. Thanks for any help. Cris ldap.attrmap maps ldap attributes to radius attributes. Say you have Framed-IP-Address in ldap as radiusFramedIPAddress. Then in ldap.attrmap, you would need a line that says replyItem Framed-IP-Address radiusFramedIPAddress That tells freeradius to pull the radiusFramedIPAddress from the directory and add it as a reply item of Framed-IP-Address. Read doc/ldap-howto.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP
You may want to read http://www.linuxchange.com/opendocs/howto/authentication/radius/index.es.html however it's on spanish LD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP
Thanks Dustin. I'll give a try. Thanks to Luis too, but unfortunately is don't speak Spanish. Cris _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD/LDAP + basedn
On Thu, 7 Oct 2004, Michael Benton wrote: Hello, FreeRadius 1.0.1 Linux RHES3.1 Does anyone know how to configure the FreeRadius server to to a LDAP query on a Win2003 AD server, and to look at the whole AD tree ? We have for some unknown reason, multiple OU's with users in each, rather than one OU in which all users are configured. If I set the basedn to a particular OU - i can authenticate users OK, but when I set it back to the top level dc=ukcl,dc=net the auth fail with user unknown ? I have used a LDAP browser to do a search from the same basedn=dc=ukcl,dc=net, with the subtree option active, and it finds the users OK. How do you specify the subtree option in the radiusd.conf file ? do if have to include ou=* as below ? Any hints would be greatly appreciated. ldap { server = hqdc1.ukcl.net identity = cn=freeradius,ou=Administrators,dc=ukcl,dc=net password = pExF%5Yf basedn = dc=ukcl,dc=net filter = ((ou=*)(objectClass=person)(samaccountname=%{User-Name})) . } I do not have OpenLDAP installed on my linux box. Do i need this installed ? even though i am directing queries to the Win2003 server directly ? Take a look at Global Catalog, see the list archives for details. Thanks Michael Benton E-mail scanned for all viruses by Star Internet, powered by MessageLabs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius+poptop+LDAP+Samba
Ok Thor, I got a different email address cuz myway stinks. How do I verify my version of ppp, the rpm from poptop's page, has radius plugin? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+poptop+LDAP+Samba
Because the radiusclient wasn't compiled in. Grrr. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - Original Message - From: John H. To: [EMAIL PROTECTED] Sent: Friday, August 27, 2004 7:45 AM Subject: Re: freeradius+poptop+LDAP+Samba And can you tell me why I have no radiusclient dir? --- On Fri 08/27, Thor Spruyt [EMAIL PROTECTED] wrote: From: Thor Spruyt [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 27 Aug 2004 07:37:35 +0200 Subject: Re: freeradius+poptop+LDAP+Samba I did't give you a walkthrough for exactly what you want to do of course. You stated that the problem was setting up pppd to use radius and the info below should help you with that! PS: Please send plain-text mail next time. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - Original Message - From: John H. To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Thursday, August 26, 2004 10:48 PM Subject: Re: freeradius+poptop+LDAP+Samba ok, i don't think this is correct for my configuration. I do not want to use mysql, I want to use LDAP for auth, which freeradius is set up to use, and is working correctly with. --- On Thu 08/26, Thor Spruyt [EMAIL PROTECTED] wrote: From: Thor Spruyt [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 26 Aug 2004 20:11:56 +0200 Subject: Re: freeradius+poptop+LDAP+Samba John H. wrote: Sorry, the poptop mailing list is completely worthless... http://poptop.sourceforge.net/dox/radius_mysql.html The radius.so plugin uses the settings from radiusclient, so make sure: /etc/radiusclient/servers contains the secret for your radius server(s) Like: localhost testing123 If the radius is on localhost using the default freeradius secret (bad idea off course...) I think you must have the dictionary.microsoft file in /etc/radiusclient if you use ms-chap 1 or 2. It should be there by default. Set authserver and acctserver in /etc/radiusclient/radiusclient.conf if your radius server is not on the same machine as your poptop. This file sure makes splitting authentication and accounting between two radius servers very easy. Make sure both servers(if different) are listed in /etc/radiusclient/servers -- Regards , Thor Spruyt E: [EMAIL PROTECTED] be W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+poptop+LDAP+Samba
John H. wrote: Ok Thor, I got a different email address cuz myway stinks. Hey nice :) How do I verify my version of ppp, the rpm from poptop's page, has radius plugin? find / -name radiusclient -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+poptop+LDAP+Samba
radiusclient dir not found. I don't understand why, though, I used the ppp straight from poptop's website. --- Thor Spruyt [EMAIL PROTECTED] wrote: John H. wrote: Ok Thor, I got a different email address cuz myway stinks. Hey nice :) How do I verify my version of ppp, the rpm from poptop's page, has radius plugin? find / -name radiusclient -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+poptop+LDAP+Samba
sorry, ppp-2.4.3-0.cvs_20040527.1.src.rpm ./configure --help doesn't give me anything that would compile the radius plugin, even though the source has the radius plugin dir? --- Thor Spruyt [EMAIL PROTECTED] wrote: Because the radiusclient wasn't compiled in. Grrr. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - Original Message - From: John H. To: [EMAIL PROTECTED] Sent: Friday, August 27, 2004 7:45 AM Subject: Re: freeradius+poptop+LDAP+Samba And can you tell me why I have no radiusclient dir? --- On Fri 08/27, Thor Spruyt [EMAIL PROTECTED] wrote: From: Thor Spruyt [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 27 Aug 2004 07:37:35 +0200 Subject: Re: freeradius+poptop+LDAP+Samba I did't give you a walkthrough for exactly what you want to do of course. You stated that the problem was setting up pppd to use radius and the info below should help you with that! PS: Please send plain-text mail next time. -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - Original Message - From: John H. To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Thursday, August 26, 2004 10:48 PM Subject: Re: freeradius+poptop+LDAP+Samba ok, i don't think this is correct for my configuration. I do not want to use mysql, I want to use LDAP for auth, which freeradius is set up to use, and is working correctly with. --- On Thu 08/26, Thor Spruyt [EMAIL PROTECTED] wrote: From: Thor Spruyt [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 26 Aug 2004 20:11:56 +0200 Subject: Re: freeradius+poptop+LDAP+Samba John H. wrote: Sorry, the poptop mailing list is completely worthless... http://poptop.sourceforge.net/dox/radius_mysql.html The radius.so plugin uses the settings from radiusclient, so make sure: /etc/radiusclient/servers contains the secret for your radius server(s) Like: localhost testing123 If the radius is on localhost using the default freeradius secret (bad idea off course...) I think you must have the dictionary.microsoft file in /etc/radiusclient if you use ms-chap 1 or 2. It should be there by default. Set authserver and acctserver in /etc/radiusclient/radiusclient.conf if your radius server is not on the same machine as your poptop. This file sure makes splitting authentication and accounting between two radius servers very easy. Make sure both servers(if different) are listed in /etc/radiusclient/servers -- Regards , Thor Spruyt E: [EMAIL PROTECTED] be W: www.thor-spruyt.com M: +32 (0)475 67 22 65 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No banners. No pop-ups. No kidding. Make My Way your home on the Web - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html