Re: Ldap + freeradius... Again
fernando@gmail.com wrote:
> *now i've a problem, and this is making me crazy!*
> *i change the /module/LDAP and now i can authenticate using plaintext or
> when i use the passwordwith {crypt}*
>
> *but when i try to use {md5} this dont work!*
You edited the configuration file and broke it. Don't do that.
> /rad_recv: Access-Request packet from host 127.0.0.1 port 34019, id=41,
> length=57
> User-Name = "user3"
> User-Password = "123"
> NAS-IP-Address = 200.131.96.47
> NAS-Port = 10
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> [ldap] performing user authorization for user3
> [ldap] expand: (uid=%u) -> (uid=user3)
> [ldap] expand: dc=xxx,dc=edu,dc=br -> dc=xxx,dc=edu,dc=br
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=xxx,dc=edu,dc=br, with filter
> (uid=user3)
> [ldap] checking if remote access for user3 is allowed by uid
> [ldap] Added MD5-Password = ICy5YqxZB1uWSwcVLSNLcA== in check items
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
> [ldap] userPassword -> Password-With-Header ==
> "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> [ldap] looking for reply items in directory...
> [ldap] user user3 authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
So... "ldap" is pretty much the only module listed in the "authorize"
section.
Why? Just... why? The comments at the top of the file you edited
explain that butchering it is wrong.
> ++[expiration] returns noop
> ++[logintime] returns noop
The "pap" module should be listed here.
> ERROR: No authenticate method (Auth-Type) found for the request:
> Rejecting the user
Because you broke the default configuration.
> sorry my poor english and if my doubt is too obvious, but i'm trying to
> solve that have 3 days and nothing.
You're working VERY HARD to destroy the default configuration.
If you plan on cooking a meal, you *don't* throw all of the food on
the floor and stand on it. You follow a recipe.
Throw away EVERYTHING you did. It's wrong.
Then, configure the "ldap" module.
The uncomment references to "ldap" in raddb/sites-available/default.
It WILL WORK.
The entire problem here is that you're putting huge amounts of work
into breaking the server, and then acting surprised that it's broken.
You would have had this working 3 days ago if you had just followed the
documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + freeradius... Again
sorry man, u didnt help.
i tryed 1000 things and this actual configurations is the best i can make.
why instead so be rude with me dont try to realy help me? like send me you
default file or the orthers file to config?
i dindt do anything without to fallow guides on internet. im trying to
learn how to do.
2013/3/14 Alan DeKok
> fernando@gmail.com wrote:
> > *now i've a problem, and this is making me crazy!*
> > *i change the /module/LDAP and now i can authenticate using plaintext or
> > when i use the passwordwith {crypt}*
> >
> > *but when i try to use {md5} this dont work!*
>
> You edited the configuration file and broke it. Don't do that.
>
> > /rad_recv: Access-Request packet from host 127.0.0.1 port 34019, id=41,
> > length=57
> > User-Name = "user3"
> > User-Password = "123"
> > NAS-IP-Address = 200.131.96.47
> > NAS-Port = 10
> > # Executing section authorize from file
> > /etc/freeradius/sites-enabled/default
> > +- entering group authorize {...}
> > [ldap] performing user authorization for user3
> > [ldap] expand: (uid=%u) -> (uid=user3)
> > [ldap] expand: dc=xxx,dc=edu,dc=br -> dc=xxx,dc=edu,dc=br
> > [ldap] ldap_get_conn: Checking Id: 0
> > [ldap] ldap_get_conn: Got Id: 0
> > [ldap] performing search in dc=xxx,dc=edu,dc=br, with filter
> > (uid=user3)
> > [ldap] checking if remote access for user3 is allowed by uid
> > [ldap] Added MD5-Password = ICy5YqxZB1uWSwcVLSNLcA== in check items
> > [ldap] No default NMAS login sequence
> > [ldap] looking for check items in directory...
> > [ldap] userPassword -> Password-With-Header ==
> > "{MD5}ICy5YqxZB1uWSwcVLSNLcA=="
> > [ldap] looking for reply items in directory...
> > [ldap] user user3 authorized to use remote access
> > [ldap] ldap_release_conn: Release Id: 0
> > ++[ldap] returns ok
>
> So... "ldap" is pretty much the only module listed in the "authorize"
> section.
>
> Why? Just... why? The comments at the top of the file you edited
> explain that butchering it is wrong.
>
> > ++[expiration] returns noop
> > ++[logintime] returns noop
>
> The "pap" module should be listed here.
>
> > ERROR: No authenticate method (Auth-Type) found for the request:
> > Rejecting the user
>
> Because you broke the default configuration.
>
> > sorry my poor english and if my doubt is too obvious, but i'm trying to
> > solve that have 3 days and nothing.
>
> You're working VERY HARD to destroy the default configuration.
>
> If you plan on cooking a meal, you *don't* throw all of the food on
> the floor and stand on it. You follow a recipe.
>
> Throw away EVERYTHING you did. It's wrong.
>
> Then, configure the "ldap" module.
>
> The uncomment references to "ldap" in raddb/sites-available/default.
>
> It WILL WORK.
>
> The entire problem here is that you're putting huge amounts of work
> into breaking the server, and then acting surprised that it's broken.
> You would have had this working 3 days ago if you had just followed the
> documentation.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + freeradius... Again
fernando@gmail.com wrote: > sorry man, u didnt help. I don't see why. > i tryed 1000 things and this actual configurations is the best i can make. Nonsense. > why instead so be rude with me dont try to realy help me? like send me > you default file or the orthers file to config? Because I already did. I already wrote the "default" file you edited. You already have a copy. You received it when you installed the server. I already wrote the documentation that you're ignoring. It's rude to ignore the documentation. It's rude to get upset when I tell you to read the documentation. > i dindt do anything without to fallow guides on internet. So.. you're following random guides on the Internet, instead of reading the documentation which comes with the server? You're arguing with the author of that documentation, rather than following instructions? All of the available documentation says to NOT EDIT the default configuration. This is even mentioned at the top of the file you edited. Either you ignored those instructions, or you thought you didn't need to follow them. You're learning your lesson now. You failed to follow instructions, and it didn't work. Why act surprised? > im trying to learn how to do. If you were interested in solving the problem, you'd be solving the problem. Instead you're upset because I said you did something wrong. Follow instructions, or you will be unsubscribed and banned from this list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + freeradius... Again
On 14 Mar 2013, at 22:52, fernando@gmail.com wrote:
> Ok man,
> keep dont help too much, ill try again,
> the documentation dont helped before and i guess this will not help again...
> im keep saying dont need to be rude man, do you born everything? 2 months ago
> i never used a linux pc, now im trying to learn, if you say:
Why are you trying to setup FreeRADIUS? I mean it's not at a postfix/cyrus
level of obtuseness, but it's not exactly suitable for beginners. It requires
too much domain knowledge, and general competence in a bunch of different
diciplines to be used effectively.
Integrating with an LDAP directory is typically not something a home user who
just wants to setup a dd-wrt AP and experiment with WPA2-Enterprise would do.
If this is for a client are you sure you wouldn't be more comfortable using
NPS, IAS, ACS? There are many commercial alternatives available.
If you're a junior system administrator/intern then you should probably request
a different project.
If you're determined to continue, and the config snippet below doesn't help.
Then I would strongly advise downloading FreeRADIUS 3.0.0 and reading over the
LDAP code. It's much simpler and easier to understand than the code in 2.1.x.
The error message you see is ocurring in the main code body however, so try
greping through the code for the log message you're receiving, and see what
possible conditions in the code could cause it.
> hey man, you make lots of change that arent the correct try to do that, and
> that, and that
> you probably would helped me more.
Yeah... the people on this list who have been around a while get tired of
repeating the same crap over and over again.
> as you say, you teach me a lesson, try to follow the documentation and dont
> use guides on internet
> and i'm trying to teach you: be more gentle, no1 born knowing everything.
authorize {
ldap
if (ok && User-Password) {
update control {
Auth-Type := "ldap"
}
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ldap + freeradius... Again
fernando@gmail.com wrote: > Ok man, > keep dont help too much, ill try again, > the documentation dont helped before and i guess this will not help again... My suggestions work. Since you're not interested in following them, I don't know why you're on this list. > im keep saying dont need to be rude man, do you born everything? 2 > months ago i never used a linux pc, now im trying to learn, if you say: > hey man, you make lots of change that arent the correct try to do that, > and that, and that > you probably would helped me more. My suggestions work. The fact that you're still complaining shows you don't want help. > as you say, you teach me a lesson, try to follow the documentation and > dont use guides on internet > and i'm trying to teach you: be more gentle, no1 born knowing everything. My suggestion was gentle. Your response wasn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
