Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means You should not set it. It does not mean use another value. If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say authenticate against LDAP, you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan, I try to understand I can only get answers from you guys when available so yes I do go off and try random howtos (literally anything I can find) I the hopes I learn a bit more. But yes, I am now 100% clear on not setting Auth-Type. Thanks again Alan. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means You should not set it. It does not mean use another value. If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say authenticate against LDAP, you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: My problem is the ldap password retrieved from the windows client is not being sent to the ldap server. The problem is that you have configured Auth-Type := LDAP, and then sent the server an 802.1x authentication request. Do NOT set Auth-Type = LDAP. This is repeated all over the place in the configuration files, the documentation, and on this list. In fact, just delete ldap from the authenticate section. If you can get PAP working with that setup, then 802.1x EAP should work, too. Make sure that FreeRADIUS is retrieving the password from LDAP. If you have FreeRADIUS doing bind as user to LDAP, then it is NOT retrieving the password from LDAP. See: http://deployingradius.com/documents/protocols/ And the two other web pages linked to from that page. The weird thing is It was working fine friday. Because you were doing PAP authentication. I'm half inclined to remove ldap bind as user from the server entirely. It confuses too many people, and causes too many problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to User-Password
?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Forgive the newbie questions but I think its best to clear up confusion.
client - cisco - FR server = eap
FR - ADS 2003 = pap
Is that correct or am I way off track.
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to
User-Password ?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
So the big question is, what Auth-Type do I use ?
If LDAP is not permitted (still confuses me as I only need / want
radius to authenticate against LDAP) what Auth-Type do I set in the
users file so that Wireless users can authenticate using their ADS
username and passwords.
On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Forgive the newbie questions but I think its best to clear up confusion.
client - cisco - FR server = eap
FR - ADS 2003 = pap
Is that correct or am I way off track.
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to
User-Password ?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan,
my test pc only supports PEAP over wireless and setup has to be wireless.
Removing ldap from the authenticate section causes an EAP error,
so I guess there is more configuration than simply removing /
commenting that section out.
I dont know how to not bind as a user when using FR + LDAP, no
document I have seen so far seems to cover it.
What encryption do you use for the ldap password in radius.conf ? so
that anonymous searches are not needed.
On 4/24/07, Jacob Jarick [EMAIL PROTECTED] wrote:
So the big question is, what Auth-Type do I use ?
If LDAP is not permitted (still confuses me as I only need / want
radius to authenticate against LDAP) what Auth-Type do I set in the
users file so that Wireless users can authenticate using their ADS
username and passwords.
On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Forgive the newbie questions but I think its best to clear up confusion.
client - cisco - FR server = eap
FR - ADS 2003 = pap
Is that correct or am I way off track.
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to
User-Password ?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication
Hi Vladimir, Tks for your help, I've managed to setup the ldap with freeradius. One last question is that is it possible to have freeradius authenticate thru ldap and also the users file. The reason is because I need to create a guest account for guests to login our wireless network. But the guest may not allow me to install SecureW2 on their notebook, so I am hoping I can setup a common password for guest inside users file. Or is there an easier way to accomplish this? Appreciate if you can help me again. Thank you. cheers, melvin - Original Message - From: melvin [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, July 27, 2005 6:35 PM Subject: Re: rlm_ldap: Attribute User-Password isrequired forauthentication Hi Vladimir, I've followed your write-up on FreeRADIUS and LDAP and configured my Windows clients to use TTLS+PAP but I still get the same error as below: rad_recv: Access-Request packet from host 192.168.84.11:2048, id=0, length=125 User-Name = melvin NAS-IP-Address = 192.168.84.11 Called-Station-Id = 000f66005feb Calling-Station-Id = 0012f075e7b3 NAS-Identifier = 000f66005feb NAS-Port = 33 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000b016d656c76696e Message-Authenticator = 0x1cbf370b745f6863e6478bfed57edd74 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = melvin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 1 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Any ideas where I might go wrong? cheers, melvin - Original Message - From: Vladimir Vuksan [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, July 26, 2005 10:33 PM Subject: Re: rlm_ldap: Attribute User-Password isrequired forauthentication melvin wrote: LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP. I have successfully integrated FreeRadius LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box. I have a write-up on FreeRADIUS and LDAP. It should apply to most configurations http://vuksan.com/linux/dot1x/802-1x-LDAP.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 9, 2005 at 02:53 -0800 wrote: Hi Vladimir, Tks for your help, I've managed to setup the ldap with freeradius. One last question is that is it possible to have freeradius authenticate thru ldap and also the users file. The reason is because I need to create a guest account for guests to login our wireless network. But the guest may not allow me to install SecureW2 on their notebook, so I am hoping I can setup a common password for guest inside users file. Or is there an easier way to accomplish this? Appreciate if you can help me again. Thank you. You've hit the nail on the head. Your users file will just need an entry for the guest user... they may need to install SecureW2 anyways, if you're using TTLS as the EAP method... though PEAP should work as long as the password you put in the users file is plaintext. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication
melvin [EMAIL PROTECTED] wrote: Currently I need to use ldap to authenticate my users and I keep encountering the same problem rlm_ldap: Attribute User-Password is required for authentication. Read the rest of the debug log. You have told the LDAP module to perform authentication. I have tried adding checkItem User-Password userPassword into ldap.attrmap but it still doesn't work. Because the LDAP module is trying to use the password in the RADIUS packet to log into the LDAP server. Don't set Auth-Type = LDAP Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
I had a similar problem and the solution was the mapping, such as Edvin says. I add the following entries to ldap.atrrmap: checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Now it's working but using clear-text passwords, so I have a question, can I have encrypted passwords in the LDAP database if I am using PEAP with mschapv2? thxs for your help, but it still doesn't work. I really believe that it is a problem with ppp. I tried to configure freeradius WITHOUT ldap, just with authentication with the users-file and I still have the same problem. There is no User-Password attribute in den Access-Request. Testing radius with radexample, radtest, windows radius test tools is working! According to the tcpdump output, there is no User-Password attribute sent (lo-interface) in the access request packet. Thxs for your help guys! I hope I can solve this problem with a new/old ppp version. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
Hi A very strange problem! Even without LDAP, just a normal radius server with useraccounts in the users file doesn't work. Do you have a working radiusserver with ppp-plugin and ldap? Can you do me a favor and look, if your ppp-radius-plugin sends a correct Access Request -Packet WITH user-password-attribute. Please just look in your radiusserver logfile output and let me know! :-) Compiling ppp isn't complex, just ./configuremakemake install . No complex configuration-options, and so I don't know what could have been wrong with my compiled plugin! :-( thxs, regards peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
guest01 wrote: Hi I have a problem with Radius-LDAP Authentication for PPTP, the log says: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=61, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = testuser NAS-IP-Address = 69.25.27.170 NAS-Port = 0 The Access-Accept packet is not sending a User-Password attribute - just as the message is telling you - thus LDAP cannot authenticate the user's password. ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
hm, radius is very strange Can anyone please help me? this is the logfile output after testing with radexample: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 User-Name = testuser User-Password = 123456 Service-Type = Authenticate-Only NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter ((objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by testuser with password 123456 rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local rlm_ldap: (re)connect to localhost:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: group Auth-Type returns ok for request 0 Sending Access-Accept of id 40 to 127.0.0.1:1025 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 40 with timestamp 422db560 Nothing to do. Sleeping until we see a request. and this is the output after trying to connect via pptpd with winxp prof. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = testuser NAS-IP-Address = 66.150.161.140 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 183 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))' radius_xlat: 'ou=users,dc=gibraltar,dc=local' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as / to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with filter ((objectclass=gibraltarUser)(uid=testuser)) rlm_ldap: checking if remote access for testuser is allowed by isVPNUser rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute User-Password is required for authentication. modcall[authenticate]: module ldap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 41 to 127.0.0.1:1025 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 41 with timestamp 422db59d Nothing
RE: rlm_ldap - Attribute User-Password is required for authentication
I had the same problem a few weeks ago. In fact the ldap wasn't returning
the user-password so it wasn't working. Chack with ldapsearch to make the
querry directly to the ldap as if you were the radius and I think that you
will see that the userpassword is not returned.
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
Make sure that the user/password in radiusd.conf for the user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = myserver.mydomain.com
identity =
cn=some_user_that_can_read_passwords_on_the_ldap
password = password_for_this_user
Regards,
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de guest01
Envoyé : mardi 8 mars 2005 15:44
À : freeradius-users@lists.freeradius.org
Objet : Re: rlm_ldap - Attribute User-Password is required
for authentication
hm, radius is very strange Can anyone please help me?
this is the logfile output after testing with radexample:
rad_recv: Access-Request packet from host 127.0.0.1:1025,
id=40, length=66
User-Name = testuser
User-Password = 123456
Service-Type = Authenticate-Only
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter ((objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed
by isVPNUser
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by testuser with password 123456
rlm_ldap: user DN: uid=testuser,ou=users,dc=gibraltar,dc=local
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as
uid=testuser,ou=users,dc=gibraltar,dc=local/123456 to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user testuser authenticated succesfully
modcall[authenticate]: module ldap returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Sending Access-Accept of id 40 to 127.0.0.1:1025
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 40 with timestamp 422db560
Nothing to do. Sleeping until we see a request.
and this is the output after trying to connect via pptpd with
winxp prof.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1025,
id=41, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser
NAS-IP-Address = 66.150.161.140
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
users: Matched DEFAULT at 152
users: Matched DEFAULT at 171
users: Matched DEFAULT at 183
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap
Re: rlm_ldap - Attribute User-Password is required for authentication
Hello, you already got this reply earlier, but here goes... this is the logfile output after testing with radexample: rad_recv: Access-Request packet from host 127.0.0.1:1025, id=40, length=66 User-Name = testuser User-Password = 123456 Service-Type = Authenticate-Only NAS-IP-Address = 127.0.0.1 NAS-Port = 0 This is a good Access-Request packet. It contains a User-Name and a User-Password. That way a RADIUS server can check if the user is valid, i.e. he compares the User-Password attribute for that user with the password he has stored internally. The outcome of this is a binary decision: either the user entered the correct password and may access the network or he entered a wrong one and may not. and this is the output after trying to connect via pptpd with winxp prof. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1025, id=41, length=54 Service-Type = Framed-User Framed-Protocol = PPP User-Name = testuser NAS-IP-Address = 66.150.161.140 NAS-Port = 0 This is a bad Access-Request. _Please_ note that this packet does not contain the user's password; the User-Password attribute is just missing. Because of that, the server cannot determine whether this user may enter the network or not. There is absolutely nothing you can do about this _on the RADIUS server side_ (well, maybe except admitting blindly everybody without checking passwords). You will have to fix the pptpd so that it sends the User-Password to the RADIUS server so that the server has a chance of verifying the user's identity. And this is exactly the reason why you got the error message from the FR server: rlm_ldap: Attribute User-Password is required for authentication. Note the word required. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
Sébastien Cantos wrote:
I had the same problem a few weeks ago. In fact the ldap wasn't returning
the user-password so it wasn't working. Chack with ldapsearch to make the
querry directly to the ldap as if you were the radius and I think that you
will see that the userpassword is not returned.
Thxs for your help, but it still doesn't work :-(
Ok, I store the passwords in cleartext (just base64encoded), ldapsearch
works:
ldapsearch -x -D cn=Manager,dc=gibraltar,dc=local -w secret
((objectclass=gibraltaruser)(uid=testuser)) userPassword
# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: ((objectclass=gibraltaruser)(uid=testuser))
# requesting: userPassword
#
# testuser, users, gibraltar.local
dn: uid=testuser,ou=users,dc=gibraltar,dc=local
userPassword:: MTIzNDU2
# search result
search: 2
result: 0 Success
Make sure that the user/password in radiusd.conf for the user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = myserver.mydomain.com
identity =
cn=some_user_that_can_read_passwords_on_the_ldap
password = password_for_this_user
hm, my LDAP is still in testing, therefor everyone is allowed
everthing... But I also tried it
with the rootdn, but no difference. But I don't think thats the problem,
because the
authorization-part works fine, user testuser authorized to use remote
access,
just that damned authentication part ...
rad_recv: Access-Request packet from host 127.0.0.1:1025, id=55, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser
NAS-IP-Address = 69.25.27.173
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 172
users: Matched DEFAULT at 185
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter ((objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed by isVPNUser
rlm_ldap: performing search in
uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication.
modcall[authenticate]: module ldap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 55 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 422dc076
Nothing to do. Sleeping until we see a request.
Any other ideas? How did you solve your problem?
regards
peda
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
Hi Thxs for your fast and informative answer ... Indeed, a very good argument! So I think I have to try another ppp version ... A strange problem, damned ppp radiusplugin!! Why can't life be easier? ;-) thxs peda - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap - Attribute User-Password is required for authentication
So maybe it's a NAS problem. Are you sure that the NAS is sending the
userpassword in the request ?
--
Sebastien Cantos [EMAIL PROTECTED]
Network / System Manager
Neopost DIVA
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la
part de guest01
Envoyé : mardi 8 mars 2005 16:16
À : freeradius-users@lists.freeradius.org
Objet : Re: rlm_ldap - Attribute User-Password is required
for authentication
Sébastien Cantos wrote:
I had the same problem a few weeks ago. In fact the ldap
wasn't returning
the user-password so it wasn't working. Chack with
ldapsearch to make the
querry directly to the ldap as if you were the radius and I
think that you
will see that the userpassword is not returned.
Thxs for your help, but it still doesn't work :-(
Ok, I store the passwords in cleartext (just base64encoded),
ldapsearch
works:
ldapsearch -x -D cn=Manager,dc=gibraltar,dc=local -w secret
((objectclass=gibraltaruser)(uid=testuser)) userPassword
# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: ((objectclass=gibraltaruser)(uid=testuser))
# requesting: userPassword
#
# testuser, users, gibraltar.local
dn: uid=testuser,ou=users,dc=gibraltar,dc=local
userPassword:: MTIzNDU2
# search result
search: 2
result: 0 Success
Make sure that the user/password in radiusd.conf for the
user that will make
the search in the ldap is valid. I think that the radius is binding
anonymously on the ldap so it can read passwords. Another
thing to note is
that you have to store passwords in clear text into the ldap.
ldap {
server = myserver.mydomain.com
identity =
cn=some_user_that_can_read_passwords_on_the_ldap
password = password_for_this_user
hm, my LDAP is still in testing, therefor everyone is allowed
everthing... But I also tried it
with the rootdn, but no difference. But I don't think thats
the problem,
because the
authorization-part works fine, user testuser authorized to use remote
access,
just that damned authentication part ...
rad_recv: Access-Request packet from host 127.0.0.1:1025,
id=55, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = testuser
NAS-IP-Address = 69.25.27.173
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
users: Matched DEFAULT at 153
users: Matched DEFAULT at 172
users: Matched DEFAULT at 185
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser
radius_xlat: '((objectclass=gibraltarUser)(uid=testuser))'
radius_xlat: 'ou=users,dc=gibraltar,dc=local'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=gibraltar,dc=local/secret to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,dc=gibraltar,dc=local, with
filter ((objectclass=gibraltarUser)(uid=testuser))
rlm_ldap: checking if remote access for testuser is allowed
by isVPNUser
rlm_ldap: performing search in
uid=testuser,ou=radius,dc=gibraltar,dc=local, with filter
(objectclass=radiusprofile)
rlm_ldap: Adding radiusAuthType as Auth-Type, value LDAP op=21
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type LDAP
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute User-Password is required for authentication.
modcall[authenticate]: module ldap returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 55 to 127.0.0.1:1025
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 55 with timestamp 422dc076
Nothing to do. Sleeping until we see a request.
Any other ideas? How did you solve your problem?
regards
peda
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Re: rlm_ldap - Attribute User-Password is required for authentication
Sébastien Cantos wrote: So maybe it's a NAS problem. Are you sure that the NAS is sending the userpassword in the request ? hm, maybe, how can I test that? I am currently trying some tests with the windowsxp radius test program ... But I am not very optimistic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
I think Steve is right ... This damned ppp-radius-plugin sends bad packets to my radiusserver ... packets without the required user-password ... And so it must be this damned plugin ... I testet a little bit with the windows radius test program and I sent packets with and without user-password to my server ... packets with password works fine, my radius server reacts with a correct access-accept-packet. And without user-password, its the same problem again :-( So I think I have to try another ppp version :-( Anyway, thank you very much guys! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap - Attribute User-Password is required for authentication
Hi, I had a similar problem and the solution was the mapping, such as Edvin says. I add the following entries to ldap.atrrmap: checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Now it's working but using clear-text passwords, so I have a question, can I have encrypted passwords in the LDAP database if I am using PEAP with mschapv2? Regards, Raul Tamayo Seferovic Edvin wrote: Hi, probably you are using MS CHAP? Right? Well MS CHAP protocol asks for User-Password attribute which cannot be found in your LDAP directory. You probably have attribute called userPassword. This attribute may be encrypted or in clear text. But what you actually need is sambaNTPassword attribute that uses the MS encryption. So you have to map the attribute User-Password to attribute sambaNTPassword. This can be done by editing the ldap_attr.map in your freeradius directory. Take a look at that file and you'll understand it. Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of guest01 Sent: Dienstag, 08. Mrz 2005 13:07 To: freeradius-users@lists.freeradius.org Subject: Re: rlm_ldap - Attribute User-Password is required for authentication hm, ok, and that means? Do you any suggestions how to make it work? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
