Re: PAP not working with ldap
Is it true? So, PAP and some other module can't work with ldap-authorize??? What about persistant connection in my question below? Is it that radius binds ldap per authentication? Kevin, Alexandre Durand wrote: It posible that i ve the same probleme because i can't working PEAP MS-CHAP with LDAP base. Error with NTPassword or LmPAssword. But password in LDAP stored by "clear" In this day, i didn't found the solution !! - Original Message - From: "kevin J" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 19, 2004 4:08 AM Subject: Re: CHAP not working with ldap Alan DeKok wrote: kevin J <[EMAIL PROTECTED]> wrote: I found the line 1441 of rlm_ldap.c returns RLM_MODULE_INVALID if the password is not pap: ... What you're missing is that's the *authentication* function. The LDAP database doesn't know how to do CHAP, it only knows how to do PAP. So the rlm_ldap module can send ONLY a PAP password to an LDAP database. Thanks Alan. CHAP is working with ldap now. I have two more questions though. 1) I found that PAP is not working with ldap. RADIUS just tried ldap authentication. I don't know why. Is there anything that I have to do for PAP? 2) It looks that ldap connection is not persistant which mean re-bind ldap per authentication. Is this true or am I missing something? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
kevin J <[EMAIL PROTECTED]> wrote: > Is it true? So, PAP and some other module can't work with ldap-authorize??? No. > What about persistant connection in my question below? Is it that > radius binds ldap per authentication? The server re-binds to LDAP a lot. This may be not be the most efficient way of doing things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Alan DeKok wrote: kevin J <[EMAIL PROTECTED]> wrote: Is it true? So, PAP and some other module can't work with ldap-authorize??? No. CHAP worked but PAP did not work. What configuration should I check? RADIUS did not bring PAP but tried LDAP for authentication. Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
kevin J wrote: Alan DeKok wrote: kevin J <[EMAIL PROTECTED]> wrote: Is it true? So, PAP and some other module can't work with ldap-authorize??? No. CHAP worked but PAP did not work. What configuration should I check? RADIUS did not bring PAP but tried LDAP for authentication. Kevin I am still having this problem. Anybody who had worked for PAP with LDAP? Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Kevin, I have it working. Well I use EAP-TTLS to create a secure tunnel between RADIUS and my supplicant first but then I send the data from supplicant to Radius via PAP and do LDAP authentication. In this case it is alfa-ariss on Windows 2000. I am at home and won't be back at the office until monday but I'll do my best to explain my set up. RADIUS: my default_eap_type in the eap module is TTLS in my authorize section I have preprocess, eap and ldap uncommented. Everything else is commented out. in my authenticate section I have the LDAP block and eap uncommented. Everything else is commented out even the PAP stuff. Supplicant I use an anonymous outer identity My inner authentication method is PAP. Basically this allows the client to send a clear text password to the server (even though it is encrypted in the tunnel) and the server can then use this clear text password to do an LDAP bind for authentication. This might not seem very clear but I am doing it all from memory. If this is at all waht you are trying to do, send me an email monday and I'll send you some documentation I have on the actual setup. Good luck. -Al - Original Message - From: "kevin J" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 19, 2004 5:50 PM Subject: Re: PAP not working with ldap > kevin J wrote: > > > Alan DeKok wrote: > > > >> kevin J <[EMAIL PROTECTED]> wrote: > >> > >> > >>> Is it true? So, PAP and some other module can't work with > >>> ldap-authorize??? > >>> > >> > >> > >> No. > >> > >> > > CHAP worked but PAP did not work. > > What configuration should I check? RADIUS did not bring PAP but tried > > LDAP for authentication. > > > > Kevin > > I am still having this problem. Anybody who had worked for PAP with LDAP? > > Kevin > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Thanks Alastair,
But, I just want to do ldap-athorize and pap-authenticate. So, I
uncommented only ldap in authorize
and uncommented only pap in authenticate. I am using clear-txt so I put
{clear} in module def.
It looks like that pap is not found for auth-type.
:
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
auth: Failed to validate the user.
I guess this is "authorize" issue and chap or eap can work because they
have authorize function. I guess radius does not run a module in
authenticate if it is not identified in authorize. Give me an advice
if I am wrong.
Thanks,
Kevin
Alastair Grant wrote:
Kevin,
I have it working. Well I use EAP-TTLS to create a secure tunnel between
RADIUS and my supplicant first but then I send the data from supplicant to
Radius via PAP and do LDAP authentication. In this case it is alfa-ariss on
Windows 2000. I am at home and won't be back at the office until monday but
I'll do my best to explain my set up.
RADIUS:
my default_eap_type in the eap module is TTLS
in my authorize section I have preprocess, eap and ldap uncommented.
Everything else is commented out.
in my authenticate section I have the LDAP block and eap uncommented.
Everything else is commented out even the PAP stuff.
Supplicant
I use an anonymous outer identity
My inner authentication method is PAP.
Basically this allows the client to send a clear text password to the
server (even though it is encrypted in the tunnel) and the server can then
use this clear text password to do an LDAP bind for authentication.
This might not seem very clear but I am doing it all from memory. If
this is at all waht you are trying to do, send me an email monday and I'll
send you some documentation I have on the actual setup. Good luck.
-Al
- Original Message -
From: "kevin J" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 19, 2004 5:50 PM
Subject: Re: PAP not working with ldap
kevin J wrote:
Alan DeKok wrote:
kevin J <[EMAIL PROTECTED]> wrote:
Is it true? So, PAP and some other module can't work with
ldap-authorize???
No.
CHAP worked but PAP did not work.
What configuration should I check? RADIUS did not bring PAP but tried
LDAP for authentication.
Kevin
I am still having this problem. Anybody who had worked for PAP with LDAP?
Kevin
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Yes for me it works withe PAP and LDAP. But it doesn't work with MS-CHAP !! i ve the same problem like you but it concerns MS-CHAP !! It' funny no? - Original Message - From: "kevin J" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 19, 2004 10:50 PM Subject: Re: PAP not working with ldap > kevin J wrote: > > > Alan DeKok wrote: > > > >> kevin J <[EMAIL PROTECTED]> wrote: > >> > >> > >>> Is it true? So, PAP and some other module can't work with > >>> ldap-authorize??? > >>> > >> > >> > >> No. > >> > >> > > CHAP worked but PAP did not work. > > What configuration should I check? RADIUS did not bring PAP but tried > > LDAP for authentication. > > > > Kevin > > I am still having this problem. Anybody who had worked for PAP with LDAP? > > Kevin > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
kevin J <[EMAIL PROTECTED]> wrote:
> But, I just want to do ldap-athorize and pap-authenticate. So, I
> uncommented only ldap in authorize
> and uncommented only pap in authenticate. I am using clear-txt so I put
> {clear} in module def.
> It looks like that pap is not found for auth-type.
> :
> rad_check_password: Found Auth-Type LDAP
By default, the LDAP module sets "Auth-Type := LDAP". You'll have
to user another module, like "files", with the "users" file, to set
Auth-Type to something else.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
Quoting kevin J <[EMAIL PROTECTED]>:
> Thanks Alastair,
>
> But, I just want to do ldap-athorize and pap-authenticate. So, I
> uncommented only ldap in authorize
> and uncommented only pap in authenticate. I am using clear-txt so I put
> {clear} in module def.
What I do for authentication is have LDAP do a bind to the directory with the user-name
and password. I guess what you want though is to have the authorize get the password
from the directory and then have PAP authenticate this password against the user's
credentials. This could be done by adding the user-password as a check item. That
way, the item will be retrieved from the directory and checked against the value passed
from the supplicant. To do this, uncomment passwordAttribute in the ldap section and
set it's value to the name of the user password attribute (typically User-Password) in
the directory.
I am not too sure of what settings you will need in autorize and authenticate since I
never had a chance to test this method (we use encrypted passwords) but I would guess
you would need ldap in authorize and nothing in authenticate (if you can leave that
block empty). Just play around with it.
Hopefully this is a bit more of what you want. Let me know how it works out for you.
-Al
> It looks like that pap is not found for auth-type.
> :
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> ERROR: Unknown value specified for Auth-Type. Cannot perform
> requested action.
> auth: Failed to validate the user.
>
> I guess this is "authorize" issue and chap or eap can work because they
> have authorize function. I guess radius does not run a module in
> authenticate if it is not identified in authorize. Give me an advice
> if I am wrong.
>
> Thanks,
> Kevin
>
> Alastair Grant wrote:
>
> >Kevin,
> > I have it working. Well I use EAP-TTLS to create a secure tunnel between
> >RADIUS and my supplicant first but then I send the data from supplicant to
> >Radius via PAP and do LDAP authentication. In this case it is alfa-ariss on
> >Windows 2000. I am at home and won't be back at the office until monday but
> >I'll do my best to explain my set up.
> >RADIUS:
> > my default_eap_type in the eap module is TTLS
> > in my authorize section I have preprocess, eap and ldap uncommented.
> >Everything else is commented out.
> > in my authenticate section I have the LDAP block and eap uncommented.
> >Everything else is commented out even the PAP stuff.
> > Supplicant
> > I use an anonymous outer identity
> > My inner authentication method is PAP.
> >
> >Basically this allows the client to send a clear text password to the
> >server (even though it is encrypted in the tunnel) and the server can then
> >use this clear text password to do an LDAP bind for authentication.
> >
> >This might not seem very clear but I am doing it all from memory. If
> >this is at all waht you are trying to do, send me an email monday and I'll
> >send you some documentation I have on the actual setup. Good luck.
> >
> >-Al
> >
> >- Original Message -
> >From: "kevin J" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Thursday, August 19, 2004 5:50 PM
> >Subject: Re: PAP not working with ldap
> >
> >
> >
> >
> >>kevin J wrote:
> >>
> >>
> >>
> >>>Alan DeKok wrote:
> >>>
> >>>
> >>>
> >>>>kevin J <[EMAIL PROTECTED]> wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Is it true? So, PAP and some other module can't work with
> >>>>>ldap-authorize???
> >>>>>
> >>>>>
> >>>>>
> >>>> No.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>CHAP worked but PAP did not work.
> >>>What configuration should I check? RADIUS did not bring PAP but tried
> >>>LDAP for authentication.
> >>>
> >>>Kevin
> >>>
> >>>
> >>I am still having this problem. Anybody who had worked for PAP with LDAP?
> >>
> >>Kevin
> >>
> >>
> >>-
> >>List info/subscribe/unsubscribe? See
> >>
> >>
> >http://www.freeradius.org/list/users.html
> >
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
> >
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP not working with ldap
On Thu, 19 Aug 2004, Alan DeKok wrote: > kevin J <[EMAIL PROTECTED]> wrote: > > Is it true? So, PAP and some other module can't work with ldap-authorize??? > > No. > > > What about persistant connection in my question below? Is it that > > radius binds ldap per authentication? > > The server re-binds to LDAP a lot. This may be not be the most > efficient way of doing things. The server keeps a pool of ldap connections open for the authorize section. It only needs to bind to perform authentication (there's no other way for ldap authentication) so i think it is quite efficient. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
