subject:"RE\: FreeRadius with LDAP"

Daniel Gomes wrote:
 I know this is a question which has been thoroughly asked and answered,
 but after spending several days configuring, debugging, searching the
 internet, rec-configuring, etc, I still can't get my freeradius server
 to properly authenticate users (for a pptd server).

  Go read the debug log.  It's not finding the password for the user.
Fix that.

 So yeah, of you could help me out, I'd appreciate it! All I want is
 pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
 is not even a requirement for me here, since both services are on the
 same machine, so there's not even the need for safe connections. So long
 as it works, I really don't care about any particular configuration!

  A simple LDAP query for the user is *not* returning a password.
That's the problem.

  Does the user even have a password in LDAP?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)


Hey there,

first of all, thanks for all the tips!

Commenting them, in the order in which they came:

@peter lambrechtsen:

 I actually had tried PAP before, but I gave up then because pptpd was 
refusing clients without even consulting the RADIUS server... But I 
noticed (a couple of minutes ago) that I had the client (ie. Windows) 
configured to try MS-CHAP and not PAP...


@ nf-vale:

nice detailed description on how to fix it, but I ended up using peter's 
solution, as it seemed easier.


@ana dekok (inline comments):

Em 09-07-2010 11:23, Alan DeKok escreveu:

Daniel Gomes wrote:
   

I know this is a question which has been thoroughly asked and answered,
but after spending several days configuring, debugging, searching the
internet, rec-configuring, etc, I still can't get my freeradius server
to properly authenticate users (for a pptd server).
 

   Go read the debug log.  It's not finding the password for the user.
Fix that.

   

So yeah, of you could help me out, I'd appreciate it! All I want is
pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
is not even a requirement for me here, since both services are on the
same machine, so there's not even the need for safe connections. So long
as it works, I really don't care about any particular configuration!
 

   A simple LDAP query for the user is *not* returning a password.
That's the problem.

   Does the user even have a password in LDAP?

   


From the logs, and as I wrote on my initial cry for help, I could see 
that the password wasn't being found, I just couldn't puzzle out why... 
And yes, the users do have passwords on LDAP (we are using it to 
authenticate many other applications), and as I wrote down, radtest was 
working fine, so freeradius was able to authenticate users via LDAP.





   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   


Anyway, once again, thanks for all the tips! It seems to be working fine 
with PAP, so I guess I'll go with it!


Cheers,

--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

Daniel Gomes wrote:
 From the logs, and as I wrote on my initial cry for help, I could see
 that the password wasn't being found, I just couldn't puzzle out why...
 And yes, the users do have passwords on LDAP (we are using it to
 authenticate many other applications), and as I wrote down, radtest was
 working fine, so freeradius was able to authenticate users via LDAP.

  Let me guess: it's Active Directory.

  Active Directory is *not* a real LDAP server.  In order to
authenticate users with MS-CHAP, you will need to install Samba.

  See the Active Directory howto on http://deployingradius.com/

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)


Wrong guess, i'ts OpenLDAP :)

Em 09-07-2010 13:04, Alan DeKok escreveu:

Daniel Gomes wrote:


 From the logs, and as I wrote on my initial cry for help, I could see
that the password wasn't being found, I just couldn't puzzle out why...
And yes, the users do have passwords on LDAP (we are using it to
authenticate many other applications), and as I wrote down, radtest was
working fine, so freeradius was able to authenticate users via LDAP.


   Let me guess: it's Active Directory.

   Active Directory is *not* a real LDAP server.  In order to
authenticate users with MS-CHAP, you will need to install Samba.

   See the Active Directory howto on http://deployingradius.com/

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

Daniel Gomes wrote:
 Wrong guess, i'ts OpenLDAP :)

  Then fix it so that it returns a password to FreeRADIUS.

  It's an LDAP server.  If it doesn't return a password when an LDAP
client queries it for a password, it's broken.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

Well, as I mentioned (a couple of times now), the LDAP server was indeed 
returning a password to FreeRADIUS, since radtest was always working 
fine. So the problem wasn't in the LDAP server itself, because it does 
return a password when an LDAP client queries it for a password (as I 
also mentioned it, we are currently and successfully using it to 
authenticate other services). The problem was really related to MS-CHAP, 
and now that I changed to PAP, it all seems to be working fine...


Em 09-07-2010 13:35, Alan DeKok escreveu:

Daniel Gomes wrote:


Wrong guess, i'ts OpenLDAP :)


   Then fix it so that it returns a password to FreeRADIUS.

   It's an LDAP server.  If it doesn't return a password when an LDAP
client queries it for a password, it's broken.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

Daniel Gomes wrote:
 Well, as I mentioned (a couple of times now), the LDAP server was indeed
 returning a password to FreeRADIUS, since radtest was always working
 fine.

  No, it wasn't returning a password to FreeRADIUS.  Go *read* the debug
output.  It will prove this.

  When using PAP, the LDAP module looks for a password.  If it doesn't
get one, it then tries to do bind as user.  That is, it hands the
username  password to the LDAP server, and asks are these OK?

  When this happens, you're making your LDAP server do user
authentication.  This is wrong.  LDAP is a database.  RADIUS is an
authentication server.

 So the problem wasn't in the LDAP server itself, because it does
 return a password when an LDAP client queries it for a password (as I
 also mentioned it, we are currently and successfully using it to
 authenticate other services).\

  Using PAP passwords.

 The problem was really related to MS-CHAP,
 and now that I changed to PAP, it all seems to be working fine...

  Yes.  For the reasons outlined above.

  Your situation *isn't* the first time someone has had this issue.
We're familiar with the problem  solution, where you are clearly not.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)


Em 09-07-2010 13:59, Alan DeKok escreveu:

Daniel Gomes wrote:
   

Well, as I mentioned (a couple of times now), the LDAP server was indeed
returning a password to FreeRADIUS, since radtest was always working
fine.
 

   No, it wasn't returning a password to FreeRADIUS.  Go *read* the debug
output.  It will prove this.

   When using PAP, the LDAP module looks for a password.  If it doesn't
get one, it then tries to do bind as user.  That is, it hands the
username  password to the LDAP server, and asks are these OK?

   When this happens, you're making your LDAP server do user
authentication.  This is wrong.  LDAP is a database.  RADIUS is an
authentication server.
   


Ok, thanks, now I see the difference. I did read the debug output, and 
again, I understood that FreeRADIUS was having problems getting the 
userPassword, I just couldn't understand why. For a layman such as 
myself, if it worked with radtest it followed that it should work with 
MS-CHAP too. With this explanation, now I understand why it didn't.


   

So the problem wasn't in the LDAP server itself, because it does
return a password when an LDAP client queries it for a password (as I
also mentioned it, we are currently and successfully using it to
authenticate other services).\
 

   Using PAP passwords.

   


Actually these application are probably just binding with the user's 
credentials, but that's not relevant here.



The problem was really related to MS-CHAP,
and now that I changed to PAP, it all seems to be working fine...
 

   Yes.  For the reasons outlined above.

   Your situation *isn't* the first time someone has had this issue.
We're familiar with the problem  solution, where you are clearly not.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   


Well, it doesn't help me much if you say you know the problem and its 
solution, but then don't tell me how to fix it. And I know I'm not the 
first one to have these issues, I started from the beginning by saying 
that I read everything I could find about it on the Internet, tried to 
fix the problem many times and only then I came here, asking for help. 
Sorry for wasting your time!... And btw, your aggressive attitude 
doesn't really help anyone.


Anyway, after getting it to work with PAP, I followed nf-vale's solution 
(adding the ntPassword and lmPassword attributes to LDAP) and now it's 
also working with MS-CHAP. Thanks for the great tip!!


Cheers,

--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

Daniel Gomes wrote:
  we are currently and successfully using it to
 authenticate other services).\
  
Using PAP passwords.  
 
 Actually these application are probably just binding with the user's
 credentials, but that's not relevant here.

  sigh  That's what I meant.

 Well, it doesn't help me much if you say you know the problem and its
 solution, but then don't tell me how to fix it.

  OpenLDAP has documentation on how to make it return passwords when an
LDAP client asks for them.  We don't tend to copy that documentation here.

 And I know I'm not the
 first one to have these issues, I started from the beginning by saying
 that I read everything I could find about it on the Internet, tried to
 fix the problem many times and only then I came here, asking for help.
 Sorry for wasting your time!... And btw, your aggressive attitude
 doesn't really help anyone.

  Sorry... but when you ask for help, you shouldn't argue with the
answers.  Especially when it's clear that you're asking for help because
you don't know what's going wrong.

  Education can be a painful process.

 Anyway, after getting it to work with PAP, I followed nf-vale's solution
 (adding the ntPassword and lmPassword attributes to LDAP) and now it's
 also working with MS-CHAP. Thanks for the great tip!!

  That's good to hear.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)



Em 09-07-2010 17:12, Alan DeKok escreveu:

Daniel Gomes wrote:
   

  we are currently and successfully using it to
authenticate other services).\

 

Using PAP passwords.
   

Actually these application are probably just binding with the user's
credentials, but that's not relevant here.
 

   sigh   That's what I meant.

   

Well, it doesn't help me much if you say you know the problem and its
solution, but then don't tell me how to fix it.
 

   OpenLDAP has documentation on how to make it return passwords when an
LDAP client asks for them.  We don't tend to copy that documentation here.

   

And I know I'm not the
first one to have these issues, I started from the beginning by saying
that I read everything I could find about it on the Internet, tried to
fix the problem many times and only then I came here, asking for help.
Sorry for wasting your time!... And btw, your aggressive attitude
doesn't really help anyone.
 

   Sorry... but when you ask for help, you shouldn't argue with the
answers.  Especially when it's clear that you're asking for help because
you don't know what's going wrong.

   Education can be a painful process.

   


Mate, I wasn't arguing in the sense of you're wrong, I was just trying 
to understand why were you saying that LDAP wasn't working, when it 
clearly looked like it was. After you explained the difference between 
PAP and MS-CHAP on the previous email, I could finally understand just 
that. So thanks once again for the explanation!


And yeah, I didn't know what was going on, but that was my reason to 
come here in the first place!



Anyway, after getting it to work with PAP, I followed nf-vale's solution
(adding the ntPassword and lmPassword attributes to LDAP) and now it's
also working with MS-CHAP. Thanks for the great tip!!
 

   That's good to hear.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   


Thanks for the patience,

--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius with LDAP backend for pptpd (via MS-CHAP)

2010-07-08 Thread Peter Lambrechtsen

Why not setup your NAS to use PAP, instead of MS-CHAP.

If you use MS-CHAP you will need to have NT Hash'es in your LDAP directory.

It would be far easier to have PAP authentication enabled on your NAS, then
it should work fine.

On Tue, Jul 6, 2010 at 3:59 AM, Daniel Gomes dgo...@ipfn.ist.utl.pt wrote:

 Dear list,

 I know this is a question which has been thoroughly asked and answered,
 but after spending several days configuring, debugging, searching the
 internet, rec-configuring, etc, I still can't get my freeradius server
 to properly authenticate users (for a pptd server).

 First of all, on the pptpd server's side (which I know it's not your
 jurisdiction, so I'll be fast here), I have the require-mschap-v2 and
 require-mppe options enabled.

 As for freeradius itself, a summarized sites-enabled/default reads:

 authorize {
preprocess

pap

mschap

ldap

auth_log

eap {
ok = return
}

expiration
logintime
 }

 authenticate {
Auth-Type PAP {
pap
}

Auth-Type MS-CHAP {
mschap
}

Auth-Type LDAP {
ldap
}

eap
 }

 My modules/ldap contains all the necessary information, and my
 modules/mschap has the options use_mppe, require_encryption and
 require_strong enabled, like most tutorials state.

 As for the results, radtest works fine (querying LDAP etc), but through
 pptd it always fails with this error:

 

 rad_recv: Access-Request packet from host 127.0.0.1 port 39968, id=75,
 length=151
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = dgomes
MS-CHAP-Challenge = 0x4276ec425c25a93a22c31b2bc34cdd17
MS-CHAP2-Response =

 0x48003ac4b88e3cc4c6b5819eb258c434e27a02a4c78177ee841a98cf68cb9686085635bd3b3083707eb3
Calling-Station-Id = 193.136.136.200
NAS-IP-Address = 193.136.136.40
NAS-Port = 0
 +- entering group authorize {...}
 ++[preprocess] returns ok
 [pap] WARNING! No known good password found for the user.
 Authentication may fail because of this.
 ++[pap] returns noop
 [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
 ++[mschap] returns ok
 [ldap] performing user authorization for dgomes
 WARNING: Deprecated conditional expansion :-.  See man unlang for
 details
expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=dgomes)
expand: ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt -
 ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt
 rlm_ldap: ldap_get_conn: Checking Id: 0
 rlm_ldap: ldap_get_conn: Got Id: 0
 rlm_ldap: attempting LDAP reconnection
 rlm_ldap: (re)connect to gold.ipfn.ist.utl.pt:389, authentication 0
 rlm_ldap: bind as
 cn=radius,ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt/passVPN to
 gold.ipfn.ist.utl.pt:389
 rlm_ldap: waiting for bind result ...
 rlm_ldap: Bind was successful
 rlm_ldap: performing search in ou=people,dc=ipfn,dc=ist,dc=utl,dc=pt,
 with filter (cn=dgomes)
 [ldap] No default NMAS login sequence
 [ldap] looking for check items in directory...
 [ldap] looking for reply items in directory...
 WARNING: No known good password was found in LDAP.  Are you sure that
 the user is configured correctly?
 [ldap] user dgomes authorized to use remote access
 rlm_ldap: ldap_release_conn: Release Id: 0
 ++[ldap] returns ok
expand:
 /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y
 %m%d - /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
 [auth_log]
 /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
 to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20100708
expand: %t - Thu Jul  8 14:08:34 2010
 ++[auth_log] returns ok
 [eap] No EAP-Message, not doing EAP
 ++[eap] returns noop
 ++[expiration] returns noop
 ++[logintime] returns noop
 Found Auth-Type = MSCHAP
 +- entering group MS-CHAP {...}
 [mschap] No Cleartext-Password configured.  Cannot create LM-Password.
 [mschap] No Cleartext-Password configured.  Cannot create NT-Password.
 [mschap] Told to do MS-CHAPv2 for dgomes with NT-Password
 [mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
 [mschap] FAILED: MS-CHAP2-Response is incorrect
 ++[mschap] returns reject
 Failed to authenticate the user.
 Using Post-Auth-Type Reject
 +- entering group REJECT {...}
expand: %{User-Name} - dgomes
  attr_filter: Matched entry DEFAULT at line 11
 ++[attr_filter.access_reject] returns updated
 Delaying reject of request 0 for 1 seconds
 Going to the next request

 --

 I know that the error should be enough for me to fix it (since it's
 quite explanatory), but after trying many different configurations and
 searching through dozens of old mailing lists posts, I still haven't
 managed it...

 So yeah, of you could help me out, I'd appreciate it! All I want is
 pptpd to authenticate the users with a LDAP backend, via RADIUS. MS-CHAP
 is not even

Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please

2009-10-04 Thread Peter Lambrechtsen

You're password needs to be readable in cleartext by FR for anything other
than PAP to work.

That way FR can hash/encrypt the password out of LDAP on the server side and
compare against the hash it gets passed from the client.

On Sun, Oct 4, 2009 at 6:07 PM, Ryaz Khan rk...@ezesolve.com wrote:

  Hi Guys,



 I am glad to say that I was able to setup *FreeRADIUS ver. 2.1.7* with *LDAP
 (slapd)* authentication after a continuous research of a whole week. I can
 authenticate user via LDAP but it only works for PAP, *radtest* tool
 works, *NTRadPing* works but only when using PAP (un-checking CHAP).



 I tried every possible option/combination I can think of, but unfortunately
 none of them worked.



 I would appreciate if some of you can help me with that or can guide me to
 the right path



 Thx guys



 Ryaz Khan

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS with LDAP backend (PAP works but CHAP or any other modules does not work), help please

2009-10-04 Thread Ivan Kalik

 I am glad to say that I was able to setup FreeRADIUS ver. 2.1.7 with LDAP
 (slapd) authentication after a continuous research of a whole week. I can
 authenticate user via LDAP but it only works for PAP, radtest tool works,
 NTRadPing works but only when using PAP (un-checking CHAP).

If you have read the comments in ldap module (raddb/modules/ldap) you
needn't of wasted your time. Ldap authentication works *only* for PAP.

http://deployingradius.com/documents/protocols/oracles.html

 I would appreciate if some of you can help me with that or can guide me to
 the right path

Use ldap as database and not authentication system. Pass the password from
it to freeradius and let freeradius authenticate the user.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and ldap

2009-08-02 Thread Ivan Kalik

 I installed freeradius-server-2.1.6. It is related with a LDAP server.when
 run radiusd -X
 there is this error:
 /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module
 'rlm_ldap':
 /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr

 Is it needed to install freeradius-ldap or my config may have error?

Yes, if you want to use ldap.

 I downloded  freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install
 it needs
 libldap_r-2.4.so.2. and searching this file gives openldap that its
 installing needs dependencies
 too.
 What is my mistake?

You are not using yum? This is an OS question, so direct it to them.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and ldap

2009-08-02 Thread Eric

Yum install freeradius-ldap sends this needed too.


 I installed freeradius-server-2.1.6. It is related with a LDAP server.when
 run radiusd -X
 there is this error:
 /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module
 'rlm_ldap':
 /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr

 Is it needed to install freeradius-ldap or my config may have error?

Yes, if you want to use ldap.

 I downloded  freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install
 it needs
 libldap_r-2.4.so.2. and searching this file gives openldap that its
 installing needs dependencies
 too.
 What is my mistake?

You are not using yum? This is an OS question, so direct it to them.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and ldap

2009-08-02 Thread Alan Buxey

Hi,

 I installed freeradius-server-2.1.6. It is related with a LDAP server.when
 run radiusd -X
 there is this error:
 /usr/local/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap':
 /usr/lib/rlm_ldap.so: undefined symbol: librad_errstr
 
 Is it needed to install freeradius-ldap or my config may have error?
 I downloded  freeradius-ldap-2.1.3-1.fc10.i386.rpm. when I want to install
 it needs
 libldap_r-2.4.so.2. and searching this file gives openldap that its
 installing needs dependencies
 too.
 What is my mistake?

if you installed freeradius from YUM it looks like it didnt pull in 
dependencies.

for LDAP functionality, you'll need to install openldap and
all of its dependencies.  

if you built from source, you'll also need the openldap-devel package too

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and ldap

2009-08-02 Thread Eric

Yes but yum install version 1.1.3 and I want to use reply-name item that is
in version 2.1.6.

if you installed freeradius from YUM it looks like it didnt pull in
dependencies.

for LDAP functionality, you'll need to install openldap and
all of its dependencies.

if you built from source, you'll also need the openldap-devel package too

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius and ldap

2009-08-02 Thread Ivan Kalik

 Yes but yum install version 1.1.3 and I want to use reply-name item that
 is
 in version 2.1.6.


http://wiki.freeradius.org/Red_Hat_FAQ

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-25 Thread Alan DeKok

Christopher Sheldon wrote:
 Does anyone else who subscribes to the list specifically read every
 email Alan sends just to chuckle at him berating the  poor, confused
 people seeking help?

  My unhelpful comments are directed at the people who don't read (a)
the documentation I already wrote, or (b) the debugging messages I
already wrote.

  Perhaps you could take over the role of cut  paste master, where
you would cut and paste the existing documentation onto this list for
certain people.

  Failing that, perhaps you could try another method of positive
contribution that doesn't involve complaining about me.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-25 Thread Alan DeKok

daverum...@boothcreek.com wrote:
   So funny you say that, I was just talking about that with a co worker. I 
 almost find myself searching for his emails and thinking that poor person who 
 is looking for help.

  Asking people to read the debug log, as suggested in the FAQ, README,
INSTALL, man page, every single howto, and daily on this list?

  For shame.

  It's really quite simple.  It's a choice.  People DON'T read the
documentation.  They DON'T follow instructions.  They DON'T read the
debug log.  But they get incensed when they get told to read it, and
they get incensed when told to follow instructions.

  Happily, there is a solution.  Along with Christopher, you're now the
new cut  paste master.  Please spend a few short hours every day
answering questions on this list by cutting  pasting answers from the
existing documentation.

  Also, you will need to explain to people that they should run the
server in debugging mode.  Feel free to *continue* explaining why this
is necessary after they have gotten angry at you for not immediately
solving their problem.

  Complaining about *my* behavior is not an option until you've
contributed something to the project.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-25 Thread John Dennis

Alan often replies immediately with useful information, often for 
questions which are constantly repeated. I'm personally impressed with 
his tireless dedication, not only in being one of the primary help 
desk roles but also in developing the software, both of which you're 
getting for *free*. I think Alan (and some others) deserve a note of 
thanks from this community.


Folks, get real, this is open source. That means it's a community of 
volunteers. In open source if you think something is deficient your job 
is to step up to the plate and contribute for the betterment of 
everyone. But if instead you feel you need to complain and not 
contribute then please walk away.


John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-25 Thread Danner, Mearl

 -Original Message-
 From: freeradius-users-
 bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-
 users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of
 John Dennis
 Sent: Thursday, June 25, 2009 8:54 AM
 To: FreeRadius users mailing list
 Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

 Alan often replies immediately with useful information, often for
 questions which are constantly repeated. I'm personally impressed with
 his tireless dedication, not only in being one of the primary help
 desk roles but also in developing the software, both of which you're
 getting for *free*. I think Alan (and some others) deserve a note of
 thanks from this community.

 Folks, get real, this is open source. That means it's a community of
 volunteers. In open source if you think something is deficient your job
 is to step up to the plate and contribute for the betterment of
 everyone. But if instead you feel you need to complain and not
 contribute then please walk away.

 John
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

I agree wholeheartedly.

The documentation is more than adequate. Surprising how much you'll learn by 
reading it.

If you'd prefer Alan spend time answering already answered questions rather 
than refining/developing freeradius

Mearl

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-24 Thread Alan DeKok

jpablorp wrote:
 I replace eap.conf with the Default eap.conf file
 
 and this is my debug:

  Where you have *deleted* the real cause of the error.

 [peap]  Had sent TLV failure.  User was rejected earlier in this session.

  Look EARLIER in the debug log for the failure.  It's really not hard.
 Look for words like reject, or fail, or error.

  The messages will tell you what is wrong, and why.  All you need to do
is read them.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-24 Thread jpablorp


Thanks for your help.

I'm pretty new on freeradius. I've been read many how's to, but only in this
post I've discovered many things.



Alan DeKok-2 wrote:
 
 jpablorp wrote:
 I replace eap.conf with the Default eap.conf file
 
 and this is my debug:
 
   Where you have *deleted* the real cause of the error.
 
 [peap]  Had sent TLV failure.  User was rejected earlier in this session.
 
   Look EARLIER in the debug log for the failure.  It's really not hard.
  Look for words like reject, or fail, or error.
 
   The messages will tell you what is wrong, and why.  All you need to do
 is read them.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 

-- 
View this message in context: 
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24187153.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-24 Thread Christopher Sheldon



Does anyone else who subscribes to the list specifically read every 
email Alan sends just to chuckle at him berating the  poor, confused 
people seeking help?


It's like reality TV. ;-)

Chris.

Alan DeKok wrote:

jpablorp wrote:
  

I replace eap.conf with the Default eap.conf file

and this is my debug:



  Where you have *deleted* the real cause of the error.

  

[peap]  Had sent TLV failure.  User was rejected earlier in this session.



  Look EARLIER in the debug log for the failure.  It's really not hard.
 Look for words like reject, or fail, or error.

  The messages will tell you what is wrong, and why.  All you need to do
is read them.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-24 Thread daverummel

Chris,
  So funny you say that, I was just talking about that with a co worker. I 
almost find myself searching for his emails and thinking that poor person who 
is looking for help.
  I hope to post a link giving exact details on how to do auth with ldap using 
freeradius 2. I also plan to add how to do group auth with unlang. So tired of 
finding bits and pieces and no one quite giving a how to do in this mailing 
list.
--Original Message--
From: Christopher Sheldon
Sender: freeradius-users-bounces+daverummel=boothcreek@lists.freeradius.org
To: FreeRadius users mailing list
ReplyTo: FreeRadius users mailing list
Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
Sent: Jun 24, 2009 5:36 PM


Does anyone else who subscribes to the list specifically read every 
email Alan sends just to chuckle at him berating the  poor, confused 
people seeking help?

It's like reality TV. ;-)

Chris.

Alan DeKok wrote:
 jpablorp wrote:
   
 I replace eap.conf with the Default eap.conf file

 and this is my debug:
 

   Where you have *deleted* the real cause of the error.

   
 [peap]  Had sent TLV failure.  User was rejected earlier in this session.
 

   Look EARLIER in the debug log for the failure.  It's really not hard.
  Look for words like reject, or fail, or error.

   The messages will tell you what is wrong, and why.  All you need to do
 is read them.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Sent on the Now Network� from my Sprint® BlackBerry

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-24 Thread Tim Sylvester

We should start collecting the Best of Alan posts. Any nominations?

Tim

 -Original Message-
 From: freeradius-users-
 bounces+tim.sylvester=networkradius@lists.freeradius.org
 [mailto:freeradius-users-
 bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
 Of daverum...@boothcreek.com
 Sent: Wednesday, June 24, 2009 7:56 PM
 To: FreeRadius users mailing list
 Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
 
 Chris,
   So funny you say that, I was just talking about that with a co
 worker. I almost find myself searching for his emails and thinking that
 poor person who is looking for help.
   I hope to post a link giving exact details on how to do auth with
 ldap using freeradius 2. I also plan to add how to do group auth with
 unlang. So tired of finding bits and pieces and no one quite giving a
 how to do in this mailing list.
 --Original Message--
 From: Christopher Sheldon
 Sender: freeradius-users-
 bounces+daverummel=boothcreek@lists.freeradius.org
 To: FreeRadius users mailing list
 ReplyTo: FreeRadius users mailing list
 Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate
 Sent: Jun 24, 2009 5:36 PM
 
 
 Does anyone else who subscribes to the list specifically read every
 email Alan sends just to chuckle at him berating the  poor, confused
 people seeking help?
 
 It's like reality TV. ;-)
 
 Chris.
 
 Alan DeKok wrote:
  jpablorp wrote:
 
  I replace eap.conf with the Default eap.conf file
 
  and this is my debug:
 
 
Where you have *deleted* the real cause of the error.
 
 
  [peap]  Had sent TLV failure.  User was rejected earlier in this
 session.
 
 
Look EARLIER in the debug log for the failure.  It's really not
 hard.
   Look for words like reject, or fail, or error.
 
The messages will tell you what is wrong, and why.  All you need to
  do is read them.
 
Alan DeKok.
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html
 
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 
 Sent on the Now Network  from my Sprint® BlackBerry



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-23 Thread Ivan Kalik

 I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
 authenticate.
 when I send test from my console, this works fine.

 But when I try to connect.

 I don't know what I'm missing.
 here is my radiusd.conf:

Why did you find it necessary to butcher default configuration? Use
default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and
watch it work.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-23 Thread jpablorp

Thanks for your response.

Now I'm using the defaults files and configure the access in modules
(raddb/modules/ldap).
Now seems like the solution is closer,

When I test this appear in my server in debug mode:

[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for unsupported type 25
[eap] No common EAP types found.
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 189 to 10.14.56.33 port 32768
EAP-Message = 0x040c0004
Message-Authenticator = 0x
Waking up in 3.9 seconds.
Cleaning up request 1 ID 188 with timestamp +30
Waking up in 1.0 seconds.
Cleaning up request 2 ID 189 with timestamp +30
Ready to process requests.

I think is problem on mi eap.conf file but I'm no sure what exactly I have
to do.
Any idea?

Ivan Kalik wrote:

I've trying to setup a freeradius 2.1.6 with Ldap and mschapv2 to
authenticate.
when I send test from my console, this works fine.

But when I try to connect.

I don't know what I'm missing.
here is my radiusd.conf:

Why did you find it necessary to butcher default configuration? Use
default radiusd.conf, configure ldap in modules (raddb/modules/ldap) and
watch it work.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--
View this message in context:
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24170971.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-23 Thread Ivan Kalik

 Thanks for your response.

 Now I'm using the defaults files and configure the access in modules
 (raddb/modules/ldap).
 Now seems like the solution is closer,

 When I test this appear in my server in debug mode:
...
 [eap] EAP NAK
 [eap] NAK asked for unsupported type 25
 [eap] No common EAP types found.

Well, type 25 is PEAP, and that is defined in eap.conf by default. As are
a few others.


 I think is problem on mi eap.conf file but I'm no sure what exactly I have
 to do.
 Any idea?

Have you done some strange things to eap.conf or are you using the default
one? Default configuration works.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 2.1.6 ldap + mschapv2 to authenticate

2009-06-23 Thread jpablorp



Ivan Kalik wrote:
 
 
 Have you done some strange things to eap.conf or are you using the default
 one? Default configuration works.
 
 

I replace eap.conf with the Default eap.conf file

and this is my debug:

++[ldap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 198 to 10.14.56.33 port 32768
EAP-Message = 0x040d0004
Message-Authenticator = 0x
Waking up in 3.6 seconds.
Cleaning up request 1 ID 190 with timestamp +51
Cleaning up request 2 ID 191 with timestamp +51
Cleaning up request 3 ID 192 with timestamp +51
Cleaning up request 4 ID 193 with timestamp +51
Cleaning up request 5 ID 194 with timestamp +51
Cleaning up request 6 ID 195 with timestamp +51
Cleaning up request 7 ID 196 with timestamp +51
Cleaning up request 8 ID 197 with timestamp +51
Waking up in 1.0 seconds.
Cleaning up request 9 ID 198 with timestamp +51

I'm missing something?



-- 
View this message in context: 
http://www.nabble.com/freeradius-2.1.6-ldap-%2B-mschapv2-to-authenticate-tp24167333p24173891.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: FreeRadius 2.1 + LDAP Authentication - mschap

2009-06-05 Thread Mackey, Theral

[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for sminhas with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

Needs NT/LM passwords (or plain-text) for mschap to work. See perl's 
Crypt::SmbHash on CPAN for an easy way to generate the hash from plaintext. 
Look at the samba schema for openLdap, and probably want to compile the 
smbk5pwd module for openLDAP as well (in the contrib section of the source) to 
keep your pwds sync'd (also check pam/nssldap conf for passwd changes using 
LDAP-exop if you let shell accounts change pwds too).

-T

-

Message: 7
Date: Fri, 05 Jun 2009 14:47:36 -0400
From: Nik Alleyne nalle...@brontecollege.ca
Subject: FreeRadius 2.1 + LDAP Authentication
To: freeradius-users@lists.freeradius.org
Message-ID: 20090605144736.cpa0ghg1wk4ok...@mail.brontecollege.ca
Content-Type: text/plain;   charset=ISO-8859-1

Hi Guys,
I'm hoping someone can help me, because I have been fighting with this issue for
days now.

Environment:
FC10 + FreeRadius 2.1 + OpenLdap 2.4.

I've successfully setup Certificate Based authentication on my FreeRadius server
and that works well. My problem is I have some users I want to authenticate via
username and password (EAP-PEAP).

I configured FreeRadius for such and my radtest (Access-Accept) works as well as
my NTRadPing Utility (Access-Accept) when checked against the users in LDAP.
However, I cannot seem to get my Windows XP Wireless Clients to authenticate.
Please see my debug info below for a sample user sminhas who has a cleartext
LDAP password as it. Thanks for the help.

  radiusd -X  -..snip

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRadius 1.1.6 ldap inner and outer identity

2009-05-25 Thread Ivan Kalik

 We use freeRadius v 1.1.6 and EAP-TTLS for our WiFi network.
 FreeRadius uses LDAP for users autentication. It is querying LDAP
 about inner identities and outer identities (anonymous usually).
 Is there any way to stop freeRadius from querying LDAP about
 outer identities?

Upgrade. In 2.x inner and outer tunnelare handled by different virtual
servers. Enable ldap only for the inner one.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRadius 1.1.6 ldap inner and outer identity

2009-05-25 Thread Alan DeKok

Daniel Daza Muñoz wrote:
 We use freeRadius v 1.1.6 and EAP-TTLS for our WiFi network.
 FreeRadius uses LDAP for users autentication. It is querying LDAP
 about inner identities and outer identities (anonymous usually).
 Is there any way to stop freeRadius from querying LDAP about
 outer identities?

  Upgrade to 2.1.6.  Newer versions have updated functionality that
makes this simple.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and LDAP Groups

2008-12-13 Thread tnt

You don't need Auth-Type Accept (it will let people in even if the
password is wrong). Processing of the users file stops with the first
match without Fall-Trough.

Ivan Kalik
Kalik Informatika ISP


Dana 12/12/2008, Tim Gustafson t...@soe.ucsc.edu piše:

 Add: DEFAULT   Auth-Type := Reject

Awesome, that worked.

So, if I wanted to enable multiple LDAP groups, would this be the correct 
syntax:

DEFAULT LDAP-Group == foo, Auth-Type := Accept
DEFAULT LDAP-Group == bar, Auth-Type := Accept
DEFAULT LDAP-Group == baz, Auth-Type := Accept
DEFAULT Auth-Type := Reject

Tim Gustafson
SOE Webmaster
UC Santa Cruz
t...@soe.ucsc.edu
831-459-5354
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and LDAP Groups

2008-12-12 Thread Tim Gustafson

 Add: DEFAULT   Auth-Type := Reject

Awesome, that worked.

So, if I wanted to enable multiple LDAP groups, would this be the correct 
syntax:

DEFAULT LDAP-Group == foo, Auth-Type := Accept
DEFAULT LDAP-Group == bar, Auth-Type := Accept
DEFAULT LDAP-Group == baz, Auth-Type := Accept
DEFAULT Auth-Type := Reject

Tim Gustafson
SOE Webmaster
UC Santa Cruz
t...@soe.ucsc.edu
831-459-5354
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and LDAP Groups

2008-12-11 Thread tnt

In my users I have

DEFAULT LDAP-Group == foo

However, even with these configuration options set, anyone with a valid login 
and password can authenticate right now.  In my radiusd -X I see:

rlm_ldap: performing search in dc=blah, with filter ((cn=foo)(memberUid=test))
rlm_ldap: object not found or got ambiguous search result

But it then goes on the authenticate the user anyhow:

rlm_ldap: user test authorized to use remote access

I looked around on Google, and I see -lots- of stuff about configuring LDAP 
group checks, but I haven't found anything that's all too helpful right now.  
Is there some option that I have to set to tell the system to ignore a user 
that's not in the proper group?

Add:

DEFAULT   Auth-Type := Reject

at the end of the users file. If none of the groups match user will be
rejected even with the correct password.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.0.5 %{Ldap-UserDn} not correctly expanded ?

2008-07-02 Thread Alan DeKok

[EMAIL PROTECTED] wrote:

 Trying to setup group membership filtering against LDAP group membership 
 for user authentication and authorization, seems that %{Ldap-UserDn} is 
 not correctly expanded (shown as blank) in my conf.
 Does anyone experienced same problems or has any idea about what is wrong 
 in my conf ?

  In 2.0, it's in %{check:LDAP-UserDn}, I think.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Réf. : Re: Freeradius 2.0.5 %{ Ldap-UserDn} not correctly expanded ?

2008-07-02 Thread Pierre . Strazza-prestataire

Thanks a lot, that was the point.
Pierre



[EMAIL PROTECTED] wrote:

 Trying to setup group membership filtering against LDAP group membership 

 for user authentication and authorization, seems that %{Ldap-UserDn} is 
 not correctly expanded (shown as blank) in my conf.
 Does anyone experienced same problems or has any idea about what is 
wrong 
 in my conf ?

  In 2.0, it's in %{check:LDAP-UserDn}, I think.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






A partir du 30 juin, le siege social et l'adresse postale de La Banque Postale 
a Paris changent et deviennent: 115, rue de Sevres, 75275 Paris Cedex 06
Le No du standard du Siege Central de la Banque Postale a Paris devient:  01 57 
75 60 00


Le papier est un bien precieux, ne le gaspillez pas. N'imprimez ce document que 
si vous en avez vraiment besoin !


Ce message est confidentiel.

Sous reserve de tout accord conclu par ecrit entre vous et La Banque Postale, 
son contenu ne represente en aucun cas un engagement de la part de La Banque 
Postale.
Toute publication, utilisation ou diffusion, meme partielle, doit etre 
autorisee prealablement.

Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement 
l'expediteur.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and LDAP/AD username/password check

2008-02-18 Thread Alan DeKok

Mats Blomgren B wrote:
 Today I check the etc/passwd for the usernames and passwords and
 fetches the users default group from etc/passwd.

  I'm not so sure...

 #/usr/local/etc/raddb/users
 DEFAULT Group == admin-network, Auth-Type = System

  This checks /etc/groups, via the getgrent() call.  It sees if the user
is a member of that group, not if that is the user's default group.

 I have been browsing the mailing list, wiki and google trying to find
 out if anyone has done the following:
 1. I want to check the username/password against LDAP/AD instead of
 directly towards etc/passwd.

  Configure the LDAP module.  See the various howto's.

 2. After that I would like to continue by fetching the user's default
 group from the Solaris 10 system (/etc/passwd) to give it rights
 depending on which group the user belongs to.

  You don't have to change anything in your current configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius with ldap

2007-03-26 Thread Martin Gadbois

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

satish patel wrote:

   I am going to installed freeradius with ldap but my
 problem is i m confused about ldap and chap  i want impement VPDN and
 users authenticate through ldap so CHAP will work or not how can i
 configure ldif file for users where  i will define attributes is there
 any site regarding ldap with freeradius
 

Does the LDAP database contains the clear-text password? Unless it does,
ou can't use CHAP for authentication. Use PAP if you don't.

Active Directory allows to do MS-CHAPv2 against the system.

- --
== +-+
Martin Gadbois | Please answer by yes or no.|
Sr. SW Designer| Uncooperative user waste precious CPU time |
Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969  |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGB8Hh9Y3/iTTCEDkRArbyAJwMIzOdiGM1qHOooQdBXYL1ZriFdQCfXcc5
ozhgEpnACt1/C+zQf6cJ5NY=
=mmGa
-END PGP SIGNATURE-
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius 1.1.4 + LDAP + PEAP/mschapv2

2007-02-19 Thread Alan DeKok

Baptiste Delporte wrote:
 Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid LM-Password
 Mon Feb 19 09:30:08 2007 : Error: rlm_mschap: Invalid NT-Password

  That happens only when an LM-Password and NT-Password are added for
the user, AND where they're not the right format.

 /Authentication works perfectly with the same config files (eap.conf, 
 radiusd.conf,users...) with an older version (1.0.1 and even 1.1.3) of 
 freeradius on the same server.

  Run the server in debugging mode in 1.1.3, and in 1.1.4.  See what's
different.

  The PAP module changed in 1.1.4, but I don't see why it would break
MSCHAP.

 In both cases, I get this line when I run freeradius in debug mode :
 
 /rlm_pap: WARNING! No known good password found for the user.  
 Authentication may fail because of this.

  That happens if there's no way to authenticate the user.  But it
shouldn't result in the above messages from the mschap module.

 /And I can't find if there's a link between that warning and the 
 authentication failure for some of my users.

  Perhaps you could try posting the whole debug output, rather than tiny
pieces.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and LDAP

2006-12-03 Thread Alan DeKok

Sundaram Divya-QDIVYA1 wrote:
 What I need to understand is how to integrate FreeRADIUS with
 an LDAP Server without exposing the (crypted) password hashes.
 Any pointers on what I need to do for that?

  Bind as the LDAP user.  PAP will work, nothing else will.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : FreeRadius and LDAP

2006-12-01 Thread Thibault Le Meur



 -Message d'origine-
 De : 
 [EMAIL PROTECTED]
 radius.org 
 [mailto:[EMAIL PROTECTED]
 sts.freeradius.org] De la part de Sundaram Divya-QDIVYA1
 Envoyé : jeudi 30 novembre 2006 23:51
 À : freeradius-users@lists.freeradius.org
 Objet : FreeRadius and LDAP
 

 We don't use openldap or eDirectory - which is what the docs 
 are Derived from.

This shouldn't be an issue if your directory is really Ldap compliant.

 The information for FreeRADIUS and LDAP seems to 
 suggest that I need to provide access to the LDAP server's 
 password to the service account that the FreeRADIUS Server uses.

This is often required, but not always: if you are using an authentication
protocol that transmits the password in cleatext to the radius server (such
as PAP), you can avoid this.

 What I need to understand is how to integrate FreeRADIUS with 
 an LDAP Server without exposing the (crypted) password 
 hashes. Any pointers on what I need to do for that?

* Enable the ldap module in the authorize section (so that Auth-Type is set
to LDAP [FR = 1.1.3])
  * if you are running FR = 1.1.3 then you'll have to set Auth-Type = LDAP
manually (see the users file from rlm_files  or the rlm_sql module)
* Enable the ldap module in the authenticate section as well (so that a
simple ldap bind authentication is performed)
* In the ldap configuration section, you can use an LDAP account that do not
have read access to the userPassword attribute

BUT
===
Remember that this is NOT compatible with a lot of authentication protocols
(MSCHAP, CHAP, PEAP, ...).
It is working for PAP and EAP-TTLS/PAP.

HTH,
Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: freeradius 802.11x + ldap

2006-04-27 Thread ludovic cailleau

  Good morning,   I send this email because I don't found my error about freeradius + ldap.   I thinhk, I have an error of the userPassword.  You can see the output of radiusd -X :   Thanks for your help.  Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.Starting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /etc/raddb/clients.confConfig: including file: /etc/raddb/snmp.confConfig: including file: /etc/raddb/eap.confConfig: including file: /etc/raddb/sql.confmain: prefix =
 "/usr"main: localstatedir = "/var"main: logdir = "/var/log/radius"main: libdir = "/usr/lib"main: radacctdir = "/var/log/radius/radacct"main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names = yesmain: log_file = "/var/log/radius/radius.log"main: log_auth = yesmain: log_auth_badpass = yesmain: log_auth_goodpass = yesmain: pidfile = "/var/run/radiusd/radiusd.pid"main: user = "radiusd"main: group = "radiusd"main: usercollide = nomain: lower_user = "no"main: lower_pass = "no"main: nospace_user = "no"main: nospace_pass = "no"main: checkrad = "/usr/sbin/checkrad"main: proxy_requests = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files:
 reading dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/libModule: Loaded exec exec: wait = yesexec: program = "(null)"exec: input_pairs = "request"exec: output_pairs = "(null)"exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt"Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded System unix: cache = nounix: passwd = "(null)"unix: shadow = "/etc/shadow"unix: group = "(null)"unix: radwtmp = "/var/log/radius/radwtmp"unix: usegroup = nounix:
 cache_reload = 600Module: Instantiated unix (unix) Module: Loaded LDAP ldap: server = "10.49.0.101"ldap: port = 389ldap: net_timeout = 1ldap: timeout = 4ldap: timelimit = 3ldap: identity = "cn=adminlp,o=crt"ldap: tls_mode = noldap: start_tls = noldap: tls_cacertfile = "(null)"ldap: tls_cacertdir = "(null)"ldap: tls_certfile = "(null)"ldap: tls_keyfile = "(null)"ldap: tls_randfile = "(null)"ldap: tls_require_cert = "allow"ldap: password = "azerty"ldap: basedn = "o=crt"ldap: filter = "((objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"ldap: base_filter = "(objectclass=radiusprofile)"ldap: default_profile = "(null)"ldap: profile_attribute = "(null)"ldap: password_header = "(null)"ldap: password_attribute = "(null)"ldap: access_attr = "(null)"ldap: groupname_attribute = "cn"ldap: groupmembership_filter =
 "(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"ldap: groupmembership_attribute = "(null)"ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"ldap: ldap_debug = 0ldap: ldap_connections_number = 5ldap: compare_check_items = noldap: access_attr_used_for_allow = yesldap: do_xlat = yesrlm_ldap: Registering ldap_groupcmp for Ldap-Grouprlm_ldap: Registering ldap_xlat with xlat_name ldaprlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmaprlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Typerlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Userlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Idrlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
 Calling-Station-Idrlm_ldap: LDAP sambaAcctFlags mapped to RADIUS SMB-Account-CTRL-TEXTrlm_ldap: LDAP radiusExpiration mapped to RADIUS Expirationrlm_ldap: LDAP radiusVSA mapped to RADIUS Symbol-SSIDrlm_ldap: LDAP userPassword mapped to RADIUS User-Passwordrlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Typerlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocolrlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Addressrlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmaskrlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Routerlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routingrlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Idrlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTUrlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compressionrlm_ldap: LDAP

Re: Freeradius and LDAP : to be continued

2005-12-16 Thread Christophe Gravier


Phil Mayers wrote:


Christophe Gravier wrote:



My password are not stored in LDAP in clear text but hashed using SHA 
algorythm, so this won't work ;-(




Ok, let's take a breath. First things first:

If your passwords are in SHA (which they are) your Radius server will 
ONLY be able to answer PAP requests.


The very first log you sent in this thread indicates you have 
ChilliSpot set to use CHAP:



rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication. 
Cannot use CHAP-Password.

 modcall[authenticate]: module ldap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.

'''Cannot use CHAP-Password''' - indicates the request (from 
ChilliSpot) came in with CHAP credentials.


First, fix that. See here:

http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html



Next, since you have SHA passwords and can only answer PAP, you have 
two choices:


 1. Extract the SHA password and add it to the config items, then 
configure the Radius servers PAP module to check it:


modules {
  pap {
encryption_scheme = sha1
  }
  ldap {
# settings go here
  }
}

authorize {
  preprocess
  ldap
}
authenticate {
  Auth-Type PAP {
pap
  }
}

HOWEVER - this may not work. The SHA that your LDAP server uses may 
be slightly different (salting, keying) than the SHA FreeRadius uses.


Much more likely to trip you up though, is when ldap matches in 
authorize, it will set Auth-Type = LDAP, so you either need to disable 
that or otherwise make it work and there are about 6 different ways 
of doing that. The most obvious would be to replace the above with:


modules { as before }
authorize { as before }
authenticate {
  Auth-Type LDAP {
pap
  }
}



I want to make set Auth-Type = LDAP working by making this Auth-Type 
use the pap configuration. (correct me If I'm wrong).


I followed what you advises:
- configure chilli uamsecret and uampassword)
- put pap configuration in module section
- check ldap configration in module
- put ldap in authorize
- put Auth-Type LDAP {  pap  } in authentificate.

Now things got through pap indeed, but I'm told:
rlm_pap: No password (or empty password) to check against for for user 
gravier.christophe


I think I totally misunderstand your sentence: Extract the SHA password 
and add it to the config items. I thought it means to add the mapping 
checkItem User-Password userPassword in ldap.attrmap (where 
userPassword is my attribute for SHA password). As it didn't work I used 
the password_attribute conf entry in ldap configuration (module 
section), but as I expected it has the same consequence.


Could you please, be more precise about the extraction of SHA password ? 
Is there an additional conf entry for pap in module section ?


Here is the complete trace:

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, authentication 0
rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter 
(uid=gravier.christophe)

rlm_ldap: checking if remote access for gravier.christophe is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module ldap returns ok for request 0
 modcall[authorize]: module chap returns noop for request 0
 modcall[authorize]: module mschap returns noop for request 0
   rlm_realm: No '@' in User-Name = gravier.christophe, looking up 
realm NULL

   rlm_realm: No such realm NULL
 modcall[authorize]: module suffix returns noop for request 0
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module eap returns noop for request 0
   users: Matched entry DEFAULT at line 158
 modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type LDAP
auth: type LDAP
 Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by gravier.christophe with password  here the 
trace prints my password in plain text, normal ? 
rlm_pap: No password (or empty password) to check against for for user 
gravier.christophe

 modcall[authenticate]: module pap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0


But it might not work. Alternatively and probably simpler (but less 
formally correct) is the 2nd method:


 2. Configure the LDAP module to find the user, set Auth-Type==LDAP 
then authenticate the user via simple bind:


authorize {
  preprocess
  ldap
}
authenticate {
  Auth-Type LDAP {
ldap
  }
}

...and assuming the ldap

Re: Freeradius and LDAP : to be continued

2005-12-16 Thread Christophe Gravier


Christophe Gravier wrote:


Phil Mayers wrote:


Christophe Gravier wrote:



My password are not stored in LDAP in clear text but hashed using 
SHA algorythm, so this won't work ;-(





Ok, let's take a breath. First things first:

If your passwords are in SHA (which they are) your Radius server will 
ONLY be able to answer PAP requests.


The very first log you sent in this thread indicates you have 
ChilliSpot set to use CHAP:



rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication. 
Cannot use CHAP-Password.

 modcall[authenticate]: module ldap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.

'''Cannot use CHAP-Password''' - indicates the request (from 
ChilliSpot) came in with CHAP credentials.


First, fix that. See here:

http://archives.free.net.ph/message/20051025.180818.4d829f18.en.html



Next, since you have SHA passwords and can only answer PAP, you have 
two choices:


 1. Extract the SHA password and add it to the config items, then 
configure the Radius servers PAP module to check it:


modules {
  pap {
encryption_scheme = sha1
  }
  ldap {
# settings go here
  }
}

authorize {
  preprocess
  ldap
}
authenticate {
  Auth-Type PAP {
pap
  }
}

HOWEVER - this may not work. The SHA that your LDAP server uses may 
be slightly different (salting, keying) than the SHA FreeRadius uses.


Much more likely to trip you up though, is when ldap matches in 
authorize, it will set Auth-Type = LDAP, so you either need to 
disable that or otherwise make it work and there are about 6 
different ways of doing that. The most obvious would be to replace 
the above with:


modules { as before }
authorize { as before }
authenticate {
  Auth-Type LDAP {
pap
  }
}



I want to make set Auth-Type = LDAP working by making this Auth-Type 
use the pap configuration. (correct me If I'm wrong).


I followed what you advises:
- configure chilli uamsecret and uampassword)
- put pap configuration in module section
- check ldap configration in module
- put ldap in authorize
- put Auth-Type LDAP {  pap  } in authentificate.

Now things got through pap indeed, but I'm told:
rlm_pap: No password (or empty password) to check against for for user 
gravier.christophe


I think I totally misunderstand your sentence: Extract the SHA 
password and add it to the config items. I thought it means to add 
the mapping checkItem User-Password userPassword in ldap.attrmap 
(where userPassword is my attribute for SHA password). As it didn't 
work I used the password_attribute conf entry in ldap configuration 
(module section), but as I expected it has the same consequence.


Could you please, be more precise about the extraction of SHA password 
? Is there an additional conf entry for pap in module section ?


Here is the complete trace:

rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ist-guizay.univ-st-etienne.fr:389, 
authentication 0

rlm_ldap: bind as / to ist-guizay.univ-st-etienne.fr:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=person,o=istase,c=fr, with filter 
(uid=gravier.christophe)
rlm_ldap: checking if remote access for gravier.christophe is allowed 
by uid

rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user gravier.christophe authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module ldap returns ok for request 0
 modcall[authorize]: module chap returns noop for request 0
 modcall[authorize]: module mschap returns noop for request 0
   rlm_realm: No '@' in User-Name = gravier.christophe, looking up 
realm NULL

   rlm_realm: No such realm NULL
 modcall[authorize]: module suffix returns noop for request 0
 rlm_eap: No EAP-Message, not doing EAP
 modcall[authorize]: module eap returns noop for request 0
   users: Matched entry DEFAULT at line 158
 modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type LDAP
auth: type LDAP
 Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_pap: login attempt by gravier.christophe with password  here 
the trace prints my password in plain text, normal ? 
rlm_pap: No password (or empty password) to check against for for user 
gravier.christophe

 modcall[authenticate]: module pap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0


But it might not work. Alternatively and probably simpler (but less 
formally correct) is the 2nd method:


 2. Configure the LDAP module to find the user, set Auth-Type==LDAP 
then authenticate the user via simple bind:


authorize {
  preprocess
  ldap
}
authenticate {
  Auth-Type LDAP {
ldap
  }

Re: Freeradius and LDAP : to be continued


Christophe Gravier wrote:


Alan DeKok wrote:


[EMAIL PROTECTED] wrote:
 


rlm_ldap: Adding userPassword as User-Password, value {  op=11
  



 That's better.

 


modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type LDAP
  



 Yuck.

 My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP.  That would solve a lot of problems.
 


Indeed, I have no rlm-ldap.so ;-(
(I did apt-get install freeradius-ldap on my debian box ...)



Whaou, I was so kind of tired (or in a hurry).
I of course mean :
I have no rlm_ldap.c ...




 Alan DeKok.
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


 







--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and LDAP : to be continued

2005-12-15 Thread Phil Mayers


Alan DeKok wrote:

[EMAIL PROTECTED] wrote:

rlm_ldap: Adding userPassword as User-Password, value {  op=11


  That's better.


modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP


  Yuck.

  My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP.  That would solve a lot of problems.


Interesting. I mentioned this to another querier the other day:

http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html

What then would the authenticate section look like to use LDAP? 
Presumably something like:


authenticate {
  Auth-Type PAP {
ldap
  }
}

...but of course then you get into what happens if you want 2 different 
services in the same server, such as:


authenticate {
  Auth-Type PAP-service1 {
ldap1
  }
  Auth-Type PAP-service2 {
ldap2
  }
  Auth-Type MSCHAP-service1 {
mschap1
  }
  Auth-Type MSCHAP-service2 {
mschap2
  }
}

...etc. - nasty. Is it possible to do:

authenticate {
  Huntgroup Service1 {
Auth-Type PAP {
  ldap1
}
Auth-Type MSCHAP {
  mschap1
}
  }

  Huntgroup Service2 {
Auth-Type PAP {
  ldap2
}
Auth-Type MSCHAP {
  mschap2
}
  }
}

...although Realm might make more sense than Huntgroup in 
understanding what I mean.


There's also the possibility of wanting to use fallback:

authenticate {
  Auth-Type PAP {
ldap
pap
  }
}

...although I'm pretty sure you can do that with configurable failover 
and the above syntax is wrong.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and LDAP : to be continued


Phil Mayers wrote:


Alan DeKok wrote:


[EMAIL PROTECTED] wrote:


rlm_ldap: Adding userPassword as User-Password, value {  op=11



  That's better.


modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type LDAP



  Yuck.

  My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP.  That would solve a lot of problems.



Interesting. I mentioned this to another querier the other day:

http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.html 




Ar. You lost me.

Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without 
hacking it :-/




What then would the authenticate section look like to use LDAP? 
Presumably something like:


authenticate {
  Auth-Type PAP {
ldap
  }
}

...but of course then you get into what happens if you want 2 
different services in the same server, such as:


authenticate {
  Auth-Type PAP-service1 {
ldap1
  }
  Auth-Type PAP-service2 {
ldap2
  }
  Auth-Type MSCHAP-service1 {
mschap1
  }
  Auth-Type MSCHAP-service2 {
mschap2
  }
}

...etc. - nasty. Is it possible to do:

authenticate {
  Huntgroup Service1 {
Auth-Type PAP {
  ldap1
}
Auth-Type MSCHAP {
  mschap1
}
  }

  Huntgroup Service2 {
Auth-Type PAP {
  ldap2
}
Auth-Type MSCHAP {
  mschap2
}
  }
}

...although Realm might make more sense than Huntgroup in 
understanding what I mean.


There's also the possibility of wanting to use fallback:

authenticate {
  Auth-Type PAP {
ldap
pap
  }
}

...although I'm pretty sure you can do that with configurable failover 
and the above syntax is wrong.
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius and LDAP : to be continued

2005-12-15 Thread Seferovic Edvin

Hello,

I must admit, I have been reading this thread, but I still do not understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory.. 

Please correct me...

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued

Phil Mayers wrote:

 Alan DeKok wrote:

 [EMAIL PROTECTED] wrote:

 rlm_ldap: Adding userPassword as User-Password, value {  op=11


   That's better.

 modcall: group authorize returns ok for request 0
   rad_check_password:  Found Auth-Type LDAP


   Yuck.

   My quick answer is to edit rlm_ldap.c to have it *never* set
 Auth-Type to LDAP.  That would solve a lot of problems.


 Interesting. I mentioned this to another querier the other day:


http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.
html 



Ar. You lost me.

Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without 
hacking it :-/


 What then would the authenticate section look like to use LDAP? 
 Presumably something like:

 authenticate {
   Auth-Type PAP {
 ldap
   }
 }

 ...but of course then you get into what happens if you want 2 
 different services in the same server, such as:

 authenticate {
   Auth-Type PAP-service1 {
 ldap1
   }
   Auth-Type PAP-service2 {
 ldap2
   }
   Auth-Type MSCHAP-service1 {
 mschap1
   }
   Auth-Type MSCHAP-service2 {
 mschap2
   }
 }

 ...etc. - nasty. Is it possible to do:

 authenticate {
   Huntgroup Service1 {
 Auth-Type PAP {
   ldap1
 }
 Auth-Type MSCHAP {
   mschap1
 }
   }

   Huntgroup Service2 {
 Auth-Type PAP {
   ldap2
 }
 Auth-Type MSCHAP {
   mschap2
 }
   }
 }

 ...although Realm might make more sense than Huntgroup in 
 understanding what I mean.

 There's also the possibility of wanting to use fallback:

 authenticate {
   Auth-Type PAP {
 ldap
 pap
   }
 }

 ...although I'm pretty sure you can do that with configurable failover 
 and the above syntax is wrong.
 - List info/subscribe/unsubscribe? See 
 http://www.freeradius.org/list/users.html



-- 
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and LDAP : to be continued


Hello Edvin,

First, I received my email posted to the list several times in my mail 
client.
I higly hope this is not the case for all you ! (if it is, thunderbird 
didn't like to switch from the testing wireless network back to cable 
and vice versa, since they're all dated to the same hour)

If you received only one mail, it is OK, just forget what I told ;-)

For what I am trying to do:
I have an existing LDAP directory with all users being able to connect 
to the wireless area.


The hotspot architecture is :

client - chillispot (login page served with apache2 + ssl) - 
freeradius - ldap.


I just want my ldap users being able to connect to the hotspot.

So, *at first*, I edited the conf file to let users be authenticate via 
LDAP.


This way, radtest way just OK but not ChilliSpot. When I report it to 
the list, asking how radtest is different to chillispot login, Alan 
explained me:
 You're using LDAP as an authentication server. Don't do that. Use LDAP 
to store passwords.
i.e. remove the ldap entry from the authenticate section. Get 
radtest to work. Once that works, Chillispot will work, too.


So I remove ldap from authentificate (I let it in authorize section 
thgouh).


But it still doesn't solve the problem.

In the end, Alan proposed to hack rlm_ldap.c to have it *never* set 
Auth-Type to LDAP. That would solve a lot of problems.


I just find it dirty to hack the radius then recompile to get ldap 
support :-(


If you're using LDAP for your users accessing the hotspot, would you 
please tell me how you achieve this ?


Best Regards,

Seferovic Edvin wrote:


Hello,

I must admit, I have been reading this thread, but I still do not understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory.. 


Please correct me...

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued

Phil Mayers wrote:

 


Alan DeKok wrote:

   


[EMAIL PROTECTED] wrote:

 


rlm_ldap: Adding userPassword as User-Password, value {  op=11
   


 That's better.

 


modcall: group authorize returns ok for request 0
 rad_check_password:  Found Auth-Type LDAP
   


 Yuck.

 My quick answer is to edit rlm_ldap.c to have it *never* set
Auth-Type to LDAP.  That would solve a lot of problems.
 


Interesting. I mentioned this to another querier the other day:


   


http://lists.freeradius.org/pipermail/freeradius-users/2005-December/049221.
html 
 




Ar. You lost me.

Still not working.
I can't imagine I'm unable to make freeradius uses LDAP password without 
hacking it :-/


 

What then would the authenticate section look like to use LDAP? 
Presumably something like:


authenticate {
 Auth-Type PAP {
   ldap
 }
}

...but of course then you get into what happens if you want 2 
different services in the same server, such as:


authenticate {
 Auth-Type PAP-service1 {
   ldap1
 }
 Auth-Type PAP-service2 {
   ldap2
 }
 Auth-Type MSCHAP-service1 {
   mschap1
 }
 Auth-Type MSCHAP-service2 {
   mschap2
 }
}

...etc. - nasty. Is it possible to do:

authenticate {
 Huntgroup Service1 {
   Auth-Type PAP {
 ldap1
   }
   Auth-Type MSCHAP {
 mschap1
   }
 }

 Huntgroup Service2 {
   Auth-Type PAP {
 ldap2
   }
   Auth-Type MSCHAP {
 mschap2
   }
 }
}

...although Realm might make more sense than Huntgroup in 
understanding what I mean.


There's also the possibility of wanting to use fallback:

authenticate {
 Auth-Type PAP {
   ldap
   pap
 }
}

...although I'm pretty sure you can do that with configurable failover 
and the above syntax is wrong.
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


   




 




--
Christophe Gravier
Laboratoire DIOM, groupe SATIn - Doctorant
ISTASE - Ingénieur d'études
Perso: http://perso.univ-st-etienne.fr/gravchri/
SATIn: http://www.istase.com/satin
Tel : 04 7748 5034
A mediter: http://www.fsffrance.org/news/article2005-11-25.fr.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius and LDAP : to be continued

2005-12-15 Thread Seferovic Edvin

Hi,

rather confusing. I have to admit, I have never used chillispot, but I've
just visited their website and in FAQ I found Why should I use
CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot
uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
authorisation, but as a password storage. Okay - great.. what now?

When you look at your radiusd.conf file there is a part where you can define
your LDAP server etc.. 

ldap ldap_users {

server = 81.xx
# identity = cn=admin,o=My Org,c=UA
# password = mypass
basedn = ou=People,dc=xxx,dc=xx
filter = ((objectClass=posixAccount)(uid=%u))

start_tls = no

..
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 10
# password_header = {clear}
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}

I hope you have that right ( this is only a part of my working config ).
Next, what Alan said is to change the authorisation part. As I said -
chillispot aparently wants CHAP, so in following section use CHAP

authorize {

#  The chap module will set 'Auth-Type := CHAP' if we are
#  handling a CHAP request and Auth-Type has not already been set
Chap

  # here you can also have 
  ldap_users
  # for radtest to work ( IMHO it should be like this ) 
}

And in 

authenticate {

#  Most people want CHAP authentication
#  A back-end database listed in the 'authorize' section
#  MUST supply a CLEAR TEXT password.  Encrypted passwords
#  won't work.
Auth-Type CHAP {
chap
ldap_users
   }
}

As it says in authenticate section - passwords in LDAP should be in clear
text... 

Try this out. I cannot promise you that it will work, but it is the same way
I have set up my POPTOP server with MS-CHAP, and it works.. I would also
appreciate some guru to take a look at this and publish his opinion about
this on this list ;)

Kind regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:41
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued

Hello Edvin,

First, I received my email posted to the list several times in my mail 
client.
I higly hope this is not the case for all you ! (if it is, thunderbird 
didn't like to switch from the testing wireless network back to cable 
and vice versa, since they're all dated to the same hour)
If you received only one mail, it is OK, just forget what I told ;-)

For what I am trying to do:
I have an existing LDAP directory with all users being able to connect 
to the wireless area.

The hotspot architecture is :

client - chillispot (login page served with apache2 + ssl) - 
freeradius - ldap.

I just want my ldap users being able to connect to the hotspot.

So, *at first*, I edited the conf file to let users be authenticate via 
LDAP.

This way, radtest way just OK but not ChilliSpot. When I report it to 
the list, asking how radtest is different to chillispot login, Alan 
explained me:
 You're using LDAP as an authentication server. Don't do that. Use LDAP 
to store passwords.
 i.e. remove the ldap entry from the authenticate section. Get 
radtest to work. Once that works, Chillispot will work, too.

So I remove ldap from authentificate (I let it in authorize section 
thgouh).

But it still doesn't solve the problem.

In the end, Alan proposed to hack rlm_ldap.c to have it *never* set 
Auth-Type to LDAP. That would solve a lot of problems.

I just find it dirty to hack the radius then recompile to get ldap 
support :-(

If you're using LDAP for your users accessing the hotspot, would you 
please tell me how you achieve this ?

Best Regards,

Seferovic Edvin wrote:

Hello,

I must admit, I have been reading this thread, but I still do not
understand
what Christophe is trying to accomplish. As far as I understand - you have
your passwords in LDAP, and you only ( kind of ) need to authorize but NOT
authenticate users that are in your LDAP directory.. 

Please correct me...

Regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:05
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued

Phil Mayers wrote:

  

Alan DeKok wrote:



[EMAIL PROTECTED] wrote:

  

rlm_ldap: Adding userPassword as User-Password, value {  op

Re: Freeradius and LDAP : to be continued

2005-12-15 Thread Damjan

 rather confusing. I have to admit, I have never used chillispot, but I've
 just visited their website and in FAQ I found Why should I use
 CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot
 uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
 authorisation, but as a password storage. Okay - great.. what now?

You can setup chillispot to use PAP too.
see the documentation about uamsecret.


-- 
damjan | дамјан
This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!!
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and LDAP : to be continued


Seferovic Edvin wrote:


Hi,

rather confusing. I have to admit, I have never used chillispot, but I've
just visited their website and in FAQ I found Why should I use
CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot
uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as
authorisation, but as a password storage. Okay - great.. what now?

 


This is really good summary of the situation ;-)


When you look at your radiusd.conf file there is a part where you can define
your LDAP server etc.. 


ldap ldap_users {

   server = 81.xx
   # identity = cn=admin,o=My Org,c=UA
   # password = mypass
   basedn = ou=People,dc=xxx,dc=xx
   filter = ((objectClass=posixAccount)(uid=%u))

   start_tls = no

   ..
   # Mapping of RADIUS dictionary attributes to LDAP
   # directory attributes.
   dictionary_mapping = ${raddbdir}/ldap.attrmap

   ldap_connections_number = 10
   # password_header = {clear}
   password_attribute = userPassword
   timeout = 4
   timelimit = 3
   net_timeout = 1
   # compare_check_items = yes
   # access_attr_used_for_allow = yes
   }

I hope you have that right ( this is only a part of my working config ).
 


I have :
   ldap {
   server = my.server.name.here
   basedn = ou=person,o=istase,c=fr
   filter = (uid=%{Stripped-User-Name:-%{User-Name}})
   start_tls = no
   dictionary_mapping = ${raddbdir}/ldap.attrmap
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1
  }

I think this shall be rather good since I can see it searching in ldap 
log if I launch slapd in debug mode. (nentries = 1 : OK, it founds my 
userPassword using this filter -my filter seems different from yours).
Also, the User-Password-userPassword mapping is done in ldap.attrmap in 
my case.



Next, what Alan said is to change the authorisation part. As I said -
chillispot aparently wants CHAP, so in following section use CHAP

authorize {

   #  The chap module will set 'Auth-Type := CHAP' if we are
   #  handling a CHAP request and Auth-Type has not already been set
   Chap

	  # here you can also have 
	  ldap_users

  # for radtest to work ( IMHO it should be like this ) 
}

And in 


authenticate {
   
   #  Most people want CHAP authentication

   #  A back-end database listed in the 'authorize' section
   #  MUST supply a CLEAR TEXT password.  Encrypted passwords
   #  won't work.
   Auth-Type CHAP {
chap
ldap_users
  }
}

As it says in authenticate section - passwords in LDAP should be in clear
text... 
 

My password are not stored in LDAP in clear text but hashed using SHA 
algorythm, so this won't work ;-(



Try this out. I cannot promise you that it will work, but it is the same way
I have set up my POPTOP server with MS-CHAP, and it works.. I would also
appreciate some guru to take a look at this and publish his opinion about
this on this list ;)

Kind regards,

Edvin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christophe Gravier
Sent: Donnerstag, 15. Dezember 2005 16:41
To: FreeRadius users mailing list
Subject: Re: Freeradius and LDAP : to be continued

Hello Edvin,

First, I received my email posted to the list several times in my mail 
client.
I higly hope this is not the case for all you ! (if it is, thunderbird 
didn't like to switch from the testing wireless network back to cable 
and vice versa, since they're all dated to the same hour)

If you received only one mail, it is OK, just forget what I told ;-)

For what I am trying to do:
I have an existing LDAP directory with all users being able to connect 
to the wireless area.


The hotspot architecture is :

client - chillispot (login page served with apache2 + ssl) - 
freeradius - ldap.


I just want my ldap users being able to connect to the hotspot.

So, *at first*, I edited the conf file to let users be authenticate via 
LDAP.


This way, radtest way just OK but not ChilliSpot. When I report it to 
the list, asking how radtest is different to chillispot login, Alan 
explained me:
 You're using LDAP as an authentication server. Don't do that. Use LDAP 
to store passwords.
i.e. remove the ldap entry from the authenticate section. Get 
radtest to work. Once that works, Chillispot will work, too.


So I remove ldap from authentificate (I let it in authorize section 
thgouh).


But it still doesn't solve the problem.

In the end, Alan proposed to hack rlm_ldap.c to have it *never* set 
Auth-Type to LDAP. That would solve a lot of problems.


I just find it dirty to hack the radius then recompile to get

Re: Freeradius and LDAP : to be continued

2005-12-15 Thread Frank Bonnet


Hello

I have a chillispot that works with OpenLDAP
on a Debian box

here are the modifications in radiusd.conf I wrote

# Lightweight Directory Access Protocol (LDAP)
#
#  This module definition allows you to use LDAP for
#  authorization and authentication (Auth-Type := LDAP)
#
#  See doc/rlm_ldap for description of configuration options
#  and sample authorize{} and authenticate{} blocks
ldap {
server = your.ldap.server
basedn = ou=Person,dc=domain,dc=
#filter = (posixAccount)(uid=%u))
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
# base_filter = (objectclass=radiusprofile)
access_attr = uid

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5


hope this helps
--
Cordialement
Frank Bonnet
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius and LDAP : to be continued