Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
Alan, I try to understand I can only get answers from you guys when available so yes I do go off and try random howtos (literally anything I can find) I the hopes I learn a bit more. But yes, I am now 100% clear on not setting Auth-Type. Thanks again Alan. On 4/24/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > Jacob Jarick wrote: > > So the big question is, what Auth-Type do I use ? > > You have been told that you should not set it. That means "You should > not set it". It does not mean "use another value". > > > If LDAP is not permitted (still confuses me as I only need / want > > radius to authenticate against LDAP) what Auth-Type do I set in the > > users file so that Wireless users can authenticate using their ADS > > username and passwords. > > You're confused because you're not believing the messages on this list. > > LDAP is not an authentication server. When you say "authenticate > against LDAP", you are talking nonsense. > > Other people have FreeRADIUS authenticating against Active Directory. > They have done so by carefully following the guides. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
Jacob Jarick wrote: > So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means "You should not set it". It does not mean "use another value". > If LDAP is not permitted (still confuses me as I only need / want > radius to authenticate against LDAP) what Auth-Type do I set in the > users file so that Wireless users can authenticate using their ADS > username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say "authenticate against LDAP", you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
Alan,
my test pc only supports PEAP over wireless and setup has to be wireless.
Removing "ldap" from the "authenticate" section causes an EAP error,
so I guess there is more configuration than simply removing /
commenting that section out.
I dont know how to not bind as a user when using FR + LDAP, no
document I have seen so far seems to cover it.
What encryption do you use for the ldap password in radius.conf ? so
that anonymous searches are not needed.
On 4/24/07, Jacob Jarick <[EMAIL PROTECTED]> wrote:
> So the big question is, what Auth-Type do I use ?
>
> If LDAP is not permitted (still confuses me as I only need / want
> radius to authenticate against LDAP) what Auth-Type do I set in the
> users file so that Wireless users can authenticate using their ADS
> username and passwords.
>
> On 4/23/07, Jacob Jarick <[EMAIL PROTECTED]> wrote:
> > Forgive the newbie questions but I think its best to clear up confusion.
> >
> > client -> cisco -> FR server = eap
> >
> > FR -> ADS 2003 = pap
> >
> > Is that correct or am I way off track.
> >
> > On 4/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> > > Jacob Jarick wrote:
> > > > Thanks again Alan,
> > > > For reference the oriellys LDAP book instructs you to set "Auth-Type
> > > > := LDAP" so thats where I got the bad reference (perhaps other people
> > > > to).
> > >
> > > Yes. There is a LOT of documentation (web pages, etc.) that say to do
> > > the wrong thing. It's unfortunate that the people writing those don't
> > > read the FreeRADIUS docs first, and don't ask us to review their
> > > configuration.
> > >
> > > > Now lets see if I understood the tables correctly.
> > > >
> > > > PAP is the only method that will support LDAP bind as user ?
> > >
> > > It's the other way around. LDAP "bind as user" only works with PAP.
> > >
> > > > When Using PAP -> LDAP will I still have to map userPassword to
> > > > User-Password ?
> > >
> > > No.
> > >
> > > I've added some more code that will go into 1.1.7 && 2.0. If the LDAP
> > > module succeeds in retrieving a password from LDAP, it does NOT set
> > > Auth-Type to LDAP.
> > >
> > > > Will there be extra configuration required on free radius to make use
> > > > of pap -> ADS ldap or will it work automatically because ldap is
> > > > configured in the modules {} section.
> > >
> > > I would ask what other authentication protocols you need to support
> > > before suggesting to set Auth-Type to LDAP.
> > >
> > > > Wont using PAP mean plain text password from client -> cisco wap ->
> > > > radius -> ADS server ?
> > >
> > > No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
> > > with Auth-Type = LDAP.
> > >
> > > Alan DeKok.
> > > --
> > > http://deployingradius.com - The web site of the book
> > > http://deployingradius.com/blog/ - The blog
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> >
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
So the big question is, what Auth-Type do I use ?
If LDAP is not permitted (still confuses me as I only need / want
radius to authenticate against LDAP) what Auth-Type do I set in the
users file so that Wireless users can authenticate using their ADS
username and passwords.
On 4/23/07, Jacob Jarick <[EMAIL PROTECTED]> wrote:
> Forgive the newbie questions but I think its best to clear up confusion.
>
> client -> cisco -> FR server = eap
>
> FR -> ADS 2003 = pap
>
> Is that correct or am I way off track.
>
> On 4/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> > Jacob Jarick wrote:
> > > Thanks again Alan,
> > > For reference the oriellys LDAP book instructs you to set "Auth-Type
> > > := LDAP" so thats where I got the bad reference (perhaps other people
> > > to).
> >
> > Yes. There is a LOT of documentation (web pages, etc.) that say to do
> > the wrong thing. It's unfortunate that the people writing those don't
> > read the FreeRADIUS docs first, and don't ask us to review their
> > configuration.
> >
> > > Now lets see if I understood the tables correctly.
> > >
> > > PAP is the only method that will support LDAP bind as user ?
> >
> > It's the other way around. LDAP "bind as user" only works with PAP.
> >
> > > When Using PAP -> LDAP will I still have to map userPassword to
> > > User-Password ?
> >
> > No.
> >
> > I've added some more code that will go into 1.1.7 && 2.0. If the LDAP
> > module succeeds in retrieving a password from LDAP, it does NOT set
> > Auth-Type to LDAP.
> >
> > > Will there be extra configuration required on free radius to make use
> > > of pap -> ADS ldap or will it work automatically because ldap is
> > > configured in the modules {} section.
> >
> > I would ask what other authentication protocols you need to support
> > before suggesting to set Auth-Type to LDAP.
> >
> > > Wont using PAP mean plain text password from client -> cisco wap ->
> > > radius -> ADS server ?
> >
> > No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
> > with Auth-Type = LDAP.
> >
> > Alan DeKok.
> > --
> > http://deployingradius.com - The web site of the book
> > http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
Forgive the newbie questions but I think its best to clear up confusion.
client -> cisco -> FR server = eap
FR -> ADS 2003 = pap
Is that correct or am I way off track.
On 4/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Jacob Jarick wrote:
> > Thanks again Alan,
> > For reference the oriellys LDAP book instructs you to set "Auth-Type
> > := LDAP" so thats where I got the bad reference (perhaps other people
> > to).
>
> Yes. There is a LOT of documentation (web pages, etc.) that say to do
> the wrong thing. It's unfortunate that the people writing those don't
> read the FreeRADIUS docs first, and don't ask us to review their
> configuration.
>
> > Now lets see if I understood the tables correctly.
> >
> > PAP is the only method that will support LDAP bind as user ?
>
> It's the other way around. LDAP "bind as user" only works with PAP.
>
> > When Using PAP -> LDAP will I still have to map userPassword to
> > User-Password ?
>
> No.
>
> I've added some more code that will go into 1.1.7 && 2.0. If the LDAP
> module succeeds in retrieving a password from LDAP, it does NOT set
> Auth-Type to LDAP.
>
> > Will there be extra configuration required on free radius to make use
> > of pap -> ADS ldap or will it work automatically because ldap is
> > configured in the modules {} section.
>
> I would ask what other authentication protocols you need to support
> before suggesting to set Auth-Type to LDAP.
>
> > Wont using PAP mean plain text password from client -> cisco wap ->
> > radius -> ADS server ?
>
> No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
> with Auth-Type = LDAP.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
Jacob Jarick wrote:
> Thanks again Alan,
> For reference the oriellys LDAP book instructs you to set "Auth-Type
> := LDAP" so thats where I got the bad reference (perhaps other people
> to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
> Now lets see if I understood the tables correctly.
>
> PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP "bind as user" only works with PAP.
> When Using PAP -> LDAP will I still have to map userPassword to User-Password
> ?
No.
I've added some more code that will go into 1.1.7 && 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
> Will there be extra configuration required on free radius to make use
> of pap -> ADS ldap or will it work automatically because ldap is
> configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
> Wont using PAP mean plain text password from client -> cisco wap ->
> radius -> ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set "Auth-Type
:= LDAP" so thats where I got the bad reference (perhaps other people
to).
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
I should comment out
"
Auth-Type LDAP {
ldap
}
"
And as always some follow up questions:
When Using PAP -> LDAP will I still have to map userPassword to User-Password ?
Will there be extra configuration required on free radius to make use
of pap -> ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
Wont using PAP mean plain text password from client -> cisco wap ->
radius -> ADS server ?
On 4/23/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Jacob Jarick wrote:
> > My problem is the ldap password retrieved from the windows client is
> > not being sent to the ldap server.
>
> The problem is that you have configured "Auth-Type := LDAP", and then
> sent the server an 802.1x authentication request. Do NOT set Auth-Type =
> LDAP. This is repeated all over the place in the configuration files,
> the documentation, and on this list.
>
> In fact, just delete "ldap" from the "authenticate" section. If you
> can get PAP working with that setup, then 802.1x && EAP should work, too.
>
> Make sure that FreeRADIUS is retrieving the password from LDAP. If
> you have FreeRADIUS doing "bind as user" to LDAP, then it is NOT
> retrieving the password from LDAP.
>
> See: http://deployingradius.com/documents/protocols/
>
> And the two other web pages linked to from that page.
>
> > The weird thing is It was working fine friday.
>
> Because you were doing PAP authentication.
>
> I'm half inclined to remove "ldap bind as user" from the server
> entirely. It confuses too many people, and causes too many problems.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication. HELP Please
Jacob Jarick wrote: > My problem is the ldap password retrieved from the windows client is > not being sent to the ldap server. The problem is that you have configured "Auth-Type := LDAP", and then sent the server an 802.1x authentication request. Do NOT set Auth-Type = LDAP. This is repeated all over the place in the configuration files, the documentation, and on this list. In fact, just delete "ldap" from the "authenticate" section. If you can get PAP working with that setup, then 802.1x && EAP should work, too. Make sure that FreeRADIUS is retrieving the password from LDAP. If you have FreeRADIUS doing "bind as user" to LDAP, then it is NOT retrieving the password from LDAP. See: http://deployingradius.com/documents/protocols/ And the two other web pages linked to from that page. > The weird thing is It was working fine friday. Because you were doing PAP authentication. I'm half inclined to remove "ldap bind as user" from the server entirely. It confuses too many people, and causes too many problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication
FreeRadius users mailing list on August 9, 2005 at 02:53 -0800 wrote: >Hi Vladimir, > >Tks for your help, I've managed to setup the ldap with freeradius. One >last >question is that is it possible to have freeradius authenticate thru ldap >and also the users file. The reason is because I need to create a guest >account for guests to login our wireless network. But the guest may not >allow me to install SecureW2 on their notebook, so I am hoping I can >setup a >common password for guest inside users file. Or is there an easier way to >accomplish this? Appreciate if you can help me again. Thank you. You've hit the nail on the head. Your users file will just need an entry for the guest user... they may need to install SecureW2 anyways, if you're using TTLS as the EAP method... though PEAP should work as long as the password you put in the users file is plaintext. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication
Hi Vladimir, Tks for your help, I've managed to setup the ldap with freeradius. One last question is that is it possible to have freeradius authenticate thru ldap and also the users file. The reason is because I need to create a guest account for guests to login our wireless network. But the guest may not allow me to install SecureW2 on their notebook, so I am hoping I can setup a common password for guest inside users file. Or is there an easier way to accomplish this? Appreciate if you can help me again. Thank you. cheers, melvin - Original Message - From: "melvin" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, July 27, 2005 6:35 PM Subject: Re: rlm_ldap: Attribute "User-Password" isrequired forauthentication Hi Vladimir, I've followed your write-up on FreeRADIUS and LDAP and configured my Windows clients to use TTLS+PAP but I still get the same error as below: rad_recv: Access-Request packet from host 192.168.84.11:2048, id=0, length=125 User-Name = "melvin" NAS-IP-Address = 192.168.84.11 Called-Station-Id = "000f66005feb" Calling-Station-Id = "0012f075e7b3" NAS-Identifier = "000f66005feb" NAS-Port = 33 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d656c76696e Message-Authenticator = 0x1cbf370b745f6863e6478bfed57edd74 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "melvin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Any ideas where I might go wrong? cheers, melvin - Original Message - From: "Vladimir Vuksan" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, July 26, 2005 10:33 PM Subject: Re: rlm_ldap: Attribute "User-Password" isrequired forauthentication melvin wrote: LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP. I have successfully integrated FreeRadius & LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box. I have a write-up on FreeRADIUS and LDAP. It should apply to most configurations http://vuksan.com/linux/dot1x/802-1x-LDAP.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute "User-Password" is required for authentication
"melvin" <[EMAIL PROTECTED]> wrote: > Currently I need to use ldap to authenticate my users and I keep > encountering the same problem "rlm_ldap: Attribute "User-Password" is > required for authentication". Read the rest of the debug log. You have told the LDAP module to perform authentication. > I have tried adding > "checkItem User-Password userPassword" into > ldap.attrmap but it still doesn't work. Because the LDAP module is trying to use the password in the RADIUS packet to log into the LDAP server. Don't set "Auth-Type = LDAP" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hi A very strange problem! Even without LDAP, just a normal radius server with useraccounts in the users file doesn't work. Do you have a working radiusserver with ppp-plugin and ldap? Can you do me a favor and look, if your ppp-radius-plugin sends a correct Access Request -Packet WITH user-password-attribute. Please just look in your radiusserver logfile output and let me know! :-) Compiling ppp isn't complex, just ./configure&&make&&make install . No complex configuration-options, and so I don't know what could have been wrong with my compiled plugin! :-( thxs, regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hi, On Tue, 2005-03-08 at 15:44 +0100, guest01 wrote: > hm, radius is very strange Can anyone please help me? > this is the logfile output after testing with radexample: > > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 > User-Name = "testuser" > User-Password = "123456" > Service-Type = Authenticate-Only > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0 These are the attributes in the request. As you can see the client sends User-Password = "testuser". This will be used to perform authentication. > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched DEFAULT at 152 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=gibraltar,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as / to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with > filter (&(objectclass=gibraltarUser)(uid=testuser)) > rlm_ldap: checking if remote access for testuser is allowed by isVPNUser > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user testuser authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 0 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "testuser" with password "123456" > rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local > rlm_ldap: (re)connect to localhost:389, authentication 1 > rlm_ldap: bind as uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to This is where the ldap authenticate takes place..(Binding as testuser with password 123456). > localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user testuser authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 0 > modcall: group Auth-Type returns ok for request 0 > Sending Access-Accept of id 40 to 127.0.0.1:1025 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 40 with timestamp 422db560 > Nothing to do. Sleeping until we see a request. > > and this is the output after trying to connect via pptpd with winxp prof. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "testuser" > NAS-IP-Address = 66.150.161.140 > NAS-Port = 0 In this case there is no User-Password attribute in the request. So later on in the authenticate section it has the username ( testuser ) but no password to bind with hence authentication fails. > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > users: Matched DEFAULT at 152 > users: Matched DEFAULT at 171 > users: Matched DEFAULT at 183 > modcall[authorize]: module "files" returns ok for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' > radius_xlat: 'ou=users,dc=gibraltar,dc=local' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to localhost:389, authentication 0 > rlm_ldap: bind as / to localhost:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with > filter (&(objectclass=gibraltarUser)(uid=testuser)) > rlm_ldap: checking if remote access for testuser is allowed by isVPNUser > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user testuser authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > m
Re: rlm_ldap - Attribute "User-Password" is required for authentication
> I had a similar problem and the solution was the mapping, such as Edvin > says. I add the following entries to ldap.atrrmap: > > checkItem LM-Password lmPassword > checkItem NT-Password ntPassword > checkItem User-Password lmPassword > > Now it's working but using clear-text passwords, so I have a question, > can I have encrypted passwords in the LDAP database if I am using PEAP > with mschapv2? > thxs for your help, but it still doesn't work. I really believe that it is a problem with ppp. I tried to configure freeradius WITHOUT ldap, just with authentication with the users-file and I still have the same problem. There is no User-Password attribute in den Access-Request. Testing radius with radexample, radtest, windows radius test tools is working! According to the tcpdump output, there is no User-Password attribute sent (lo-interface) in the access request packet. Thxs for your help guys! I hope I can solve this problem with a new/old ppp version. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hi, I had a similar problem and the solution was the mapping, such as Edvin says. I add the following entries to ldap.atrrmap: checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Now it's working but using clear-text passwords, so I have a question, can I have encrypted passwords in the LDAP database if I am using PEAP with mschapv2? Regards, Raul Tamayo Seferovic Edvin wrote: Hi, probably you are using MS CHAP? Right? Well MS CHAP protocol asks for User-Password attribute which cannot be found in your LDAP directory. You probably have attribute called userPassword. This attribute may be encrypted or in clear text. But what you actually need is sambaNTPassword attribute that uses the MS encryption. So you have to "map" the attribute User-Password to attribute sambaNTPassword. This can be done by editing the ldap_attr.map in your freeradius directory. Take a look at that file and you'll understand it. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of guest01 Sent: Dienstag, 08. März 2005 13:07 To: freeradius-users@lists.freeradius.org Subject: Re: rlm_ldap - Attribute "User-Password" is required for authentication hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute "User-Password" is required for authentication
Hi, probably you are using MS CHAP? Right? Well MS CHAP protocol asks for User-Password attribute which cannot be found in your LDAP directory. You probably have attribute called userPassword. This attribute may be encrypted or in clear text. But what you actually need is sambaNTPassword attribute that uses the MS encryption. So you have to "map" the attribute User-Password to attribute sambaNTPassword. This can be done by editing the ldap_attr.map in your freeradius directory. Take a look at that file and you'll understand it. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of guest01 Sent: Dienstag, 08. März 2005 13:07 To: freeradius-users@lists.freeradius.org Subject: Re: rlm_ldap - Attribute "User-Password" is required for authentication hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
I think Steve is right ... This damned ppp-radius-plugin sends bad packets to my radiusserver ... packets without the required user-password ... And so it must be this damned plugin ... I testet a little bit with the windows radius test program and I sent packets with and without user-password to my server ... packets with password works fine, my radius server reacts with a correct access-accept-packet. And without user-password, its the same problem again :-( So I think I have to try another ppp version :-( Anyway, thank you very much guys! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Sébastien Cantos wrote: >So maybe it's a NAS problem. Are you sure that the NAS is sending the >userpassword in the request ? > > > hm, maybe, how can I test that? I am currently trying some tests with the windowsxp radius test program ... But I am not very optimistic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute "User-Password" is required for authentication
So maybe it's a NAS problem. Are you sure that the NAS is sending the
userpassword in the request ?
--
Sebastien Cantos <[EMAIL PROTECTED]>
Network / System Manager
Neopost DIVA
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] De la
> part de guest01
> Envoyé : mardi 8 mars 2005 16:16
> À : freeradius-users@lists.freeradius.org
> Objet : Re: rlm_ldap - Attribute "User-Password" is required
> for authentication
>
> Sébastien Cantos wrote:
>
> >>I had the same problem a few weeks ago. In fact the ldap
> wasn't returning
> >>the user-password so it wasn't working. Chack with
> ldapsearch to make the
> >>querry directly to the ldap as if you were the radius and I
> think that you
> >>will see that the userpassword is not returned.
> >
> >
> Thxs for your help, but it still doesn't work :-(
>
> Ok, I store the passwords in cleartext (just base64encoded),
> ldapsearch
> works:
>
> ldapsearch -x -D "cn=Manager,dc=gibraltar,dc=local" -w secret
> "(&(objectclass=gibraltaruser)(uid=testuser))" userPassword
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (&(objectclass=gibraltaruser)(uid=testuser))
> # requesting: userPassword
> #
>
> # testuser, users, gibraltar.local
> dn: uid=testuser,ou=users,dc=gibraltar,dc=local
> userPassword:: MTIzNDU2
>
> # search result
> search: 2
> result: 0 Success
>
>
> >Make sure that the user/password in radiusd.conf for the
> user that will make
> >the search in the ldap is valid. I think that the radius is binding
> >anonymously on the ldap so it can read passwords. Another
> thing to note is
> >that you have to store passwords in clear text into the ldap.
>
> >ldap {
> >server = "myserver.mydomain.com"
> >identity =
> >"cn=some_user_that_can_read_passwords_on_the_ldap"
> >password = "password_for_this_user"
> >
>
> hm, my LDAP is still in testing, therefor everyone is allowed
> everthing... But I also tried it
> with the rootdn, but no difference. But I don't think thats
> the problem,
> because the
> authorization-part works fine, "user testuser authorized to use remote
> access",
> just that damned authentication part ...
>
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=55, length=54
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "testuser"
> NAS-IP-Address = 69.25.27.173
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> users: Matched DEFAULT at 153
> users: Matched DEFAULT at 172
> users: Matched DEFAULT at 185
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
> radius_xlat: 'ou=users,dc=gibraltar,dc=local'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
> filter (&(objectclass=gibraltarUser)(uid=testuser))
> rlm_ldap: checking if remote access for testuser is allowed
> by isVPNUser
> rlm_ldap: performing search in
> uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
> (objectclass=radiusprofile)
> rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user testuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: Attribute "User-Password" is required for authentication.
> modcall[authenticate]: module "ldap" returns invalid for request 0
> modcall: group Auth
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hi Thxs for your fast and informative answer ... Indeed, a very good argument! So I think I have to try another ppp version ... A strange problem, damned ppp radiusplugin!! Why can't life be easier? ;-) thxs peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Sébastien Cantos wrote:
>>I had the same problem a few weeks ago. In fact the ldap wasn't returning
>>the user-password so it wasn't working. Chack with ldapsearch to make the
>>querry directly to the ldap as if you were the radius and I think that you
>>will see that the userpassword is not returned.
>
>
Thxs for your help, but it still doesn't work :-(
Ok, I store the passwords in cleartext (just base64encoded), ldapsearch
works:
ldapsearch -x -D "cn=Manager,dc=gibraltar,dc=local" -w secret
"(&(objectclass=gibraltaruser)(uid=testuser))" userPassword
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(objectclass=gibraltaruser)(uid=testuser))
# requesting: userPassword
#
# testuser, users, gibraltar.local
dn: uid=testuser,ou=users,dc=gibraltar,dc=local
userPassword:: MTIzNDU2
# search result
search: 2
result: 0 Success
>Make sure that the user/password in radiusd.conf for the user that will make
>the search in the ldap is valid. I think that the radius is binding
>anonymously on the ldap so it can read passwords. Another thing to note is
>that you have to store passwords in clear text into the ldap.
>ldap {
>server = "myserver.mydomain.com"
>identity =
>"cn=some_user_that_can_read_passwords_on_the_ldap"
>password = "password_for_this_user"
>
hm, my LDAP is still in testing, therefor everyone is allowed
everthing... But I also tried it
with the rootdn, but no difference. But I don't think thats the problem,
because the
authorization-part works fine, "user testuser authorized to use remote
access",
just that damned authentication part ...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=55, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "testuser"
NAS-IP-Address = 69.25.27.173
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 172
users: Matched DEFAULT at 185
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter (&(objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed by isVPNUser
rlm_ldap: performing search in
uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP & op=21
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 55 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 422dc076
Nothing to do. Sleeping until we see a request.
Any other ideas? How did you solve your problem?
regards
peda
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
Hello, you already got this reply earlier, but here goes... > this is the logfile output after testing with radexample: > > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 > User-Name = "testuser" > User-Password = "123456" > Service-Type = Authenticate-Only > NAS-IP-Address = 127.0.0.1 > NAS-Port = 0 This is a "good" Access-Request packet. It contains a User-Name and a User-Password. That way a RADIUS server can check if the user is valid, i.e. he compares the User-Password attribute for that user with the password he has stored internally. The outcome of this is a binary decision: either the user entered the correct password and may access the network or he entered a wrong one and may not. > and this is the output after trying to connect via pptpd with winxp prof. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 > Service-Type = Framed-User > Framed-Protocol = PPP > User-Name = "testuser" > NAS-IP-Address = 66.150.161.140 > NAS-Port = 0 This is a "bad" Access-Request. _Please_ note that this packet does not contain the user's password; the User-Password attribute is just missing. Because of that, the server cannot determine whether this user may enter the network or not. There is absolutely nothing you can do about this _on the RADIUS server side_ (well, maybe except admitting blindly everybody without checking passwords). You will have to fix the pptpd so that it sends the User-Password to the RADIUS server so that the server has a chance of verifying the user's identity. And this is exactly the reason why you got the error message from the FR server: > rlm_ldap: Attribute "User-Password" is required for authentication. Note the word "required". Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute "User-Password" is required for authentication
I had the same problem a few weeks ago. In fact the ldap wasn't returning
the user-password so it wasn't working. Chack with ldapsearch to make the
querry directly to the ldap as if you were the radius and I think that you
will see that the userpassword is not returned.
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
Make sure that the user/password in radiusd.conf for the user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = "myserver.mydomain.com"
identity =
"cn=some_user_that_can_read_passwords_on_the_ldap"
password = "password_for_this_user"
Regards,
--
Sebastien Cantos <[EMAIL PROTECTED]>
Network / System Manager
Neopost DIVA
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] De la
> part de guest01
> Envoyé : mardi 8 mars 2005 15:44
> À : freeradius-users@lists.freeradius.org
> Objet : Re: rlm_ldap - Attribute "User-Password" is required
> for authentication
>
> hm, radius is very strange Can anyone please help me?
> this is the logfile output after testing with radexample:
>
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=40, length=66
> User-Name = "testuser"
> User-Password = "123456"
> Service-Type = Authenticate-Only
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> users: Matched DEFAULT at 152
> modcall[authorize]: module "files" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for testuser
> radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))'
> radius_xlat: 'ou=users,dc=gibraltar,dc=local'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as / to localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
> filter (&(objectclass=gibraltarUser)(uid=testuser))
> rlm_ldap: checking if remote access for testuser is allowed
> by isVPNUser
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user testuser authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "testuser" with password "123456"
> rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as
> uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user testuser authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group Auth-Type returns ok for request 0
> Sending Access-Accept of id 40 to 127.0.0.1:1025
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 40 with timestamp 422db560
> Nothing to do. Sleeping until we see a request.
>
> and this is the output after trying to connect via pptpd with
> winxp prof.
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:1025,
> id=41, length=54
> Service-Type = Framed-User
> Framed-Protocol = PPP
> User-Name = "testuser"
> NAS-IP-Address = 66.150.161.140
> NAS-Port = 0
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for re
Re: rlm_ldap - Attribute "User-Password" is required for authentication
hm, radius is very strange Can anyone please help me? this is the logfile output after testing with radexample: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 User-Name = "testuser" User-Password = "123456" Service-Type = Authenticate-Only NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter (&(objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "123456" rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 40 to 127.0.0.1:1025 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 40 with timestamp 422db560 Nothing to do. Sleeping until we see a request. and this is the output after trying to connect via pptpd with winxp prof. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" NAS-IP-Address = 66.150.161.140 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(&(objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter (&(objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 41 to 127.0.0.1:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID
Re: rlm_ldap - Attribute "User-Password" is required for authentication
hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute "User-Password" is required for authentication
guest01 wrote: Hi I have a problem with Radius-LDAP Authentication for PPTP, the log says: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=61, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = "testuser" NAS-IP-Address = 69.25.27.170 NAS-Port = 0 The Access-Accept packet is not sending a User-Password attribute - just as the message is telling you - thus LDAP cannot authenticate the user's password. ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
