Re: rlm_ldap and auto_header
Alan DeKok wrote: Tim Palmer wrote: Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. === Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword Don't do this. Delete this line. It's the SOURCE of all the problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To no one's surprise, you all are correct that auto_header shouldn't be needed in the ldap module. The Cleartext-Password mapping didn't help, but my base, original problem was carrying over a "password_header = "{crypt}" entry in the ldap module from our old (1.0.1) configuration. Thanks for making it clear I shouldn't accept something just because it works, if it isn't how it should work. -- Tim Palmer BestWeb Support - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Tim Palmer wrote: > Full disclosure - I did try an install from ports, then removed the port > and rerun ldconfig. I did not recompile/install freeradius after the > port excercise. > === > Why yes, I did map Cleartext-Password, since the debug error ( and > various list postings) seemed clear on that: > > ldap.attrmap: > checkItem Cleartext-Password userPassword Don't do this. Delete this line. It's the SOURCE of all the problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Le mercredi 12 novembre 2008 04:21, lolo a écrit : > > As said Alan Devok : !!! Alan Dekok !!! :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Le mardi 11 novembre 2008 20:48, Tim Palmer a écrit : > [pap] Found existing Auth-Type, not changing it. > ++[pap] returns noop > Found Auth-Type = PAP > +- entering group PAP {...} > [pap] login attempt with password "testing" > [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." > [pap] Passwords don't match For me there's no sense to have : [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." Is your clear text password is {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. ? No ? As said Alan Devok : Because you told it that the userPassword LDAP field was a clear-text password. The PAP module is *supposed* to do the "auto-header" thing itself. It can't, because you told it that the above text WAS the password. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
[EMAIL PROTECTED] wrote: Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword OK. Debug will moan about using User-Password if you are using clear text password. It will moan, replace it with Cleartext-Password - and things will still work. If you are using clear text passwords you can do this mapping to shut it up. Better practice would be to map it to something like radiusCleartextPassword and copy userPassword field there. But mapping encrypted passwords to Cleartext-Password is clearly wrong. Remove that mapping and auto_headers in pap will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What you say makes complete sense, but its still not working for me unless I have ldap do the auto_header. However, I'd done several things with this machine in this process, so I'm going to rebuild it and start from scratch, now that I am clear on exactly how this bit is supposed to work. Thank you for your input, tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
>Why yes, I did map Cleartext-Password, since the debug error ( and >various list postings) seemed clear on that: > >ldap.attrmap: >checkItem Cleartext-Password userPassword OK. Debug will moan about using User-Password if you are using clear text password. It will moan, replace it with Cleartext-Password - and things will still work. If you are using clear text passwords you can do this mapping to shut it up. Better practice would be to map it to something like radiusCleartextPassword and copy userPassword field there. But mapping encrypted passwords to Cleartext-Password is clearly wrong. Remove that mapping and auto_headers in pap will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Full disclosure - I did try an install from ports, then removed the port and rerun ldconfig. I did not recompile/install freeradius after the port excercise. === Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword == modules/ldap: ldap { server = "xxx.xxx.xxx.xxx" identity = "cn=radiusd,ou=services,dc=,dc=net" password = x basedn = "ou=.net,ou=domains,dc=x,dc=net" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" ldap_connections_number = 10 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no # cacertfile= /path/to/cacert.pem # cacertdir= /path/to/ca/dir/ # certfile= /path/to/radius.crt # keyfile= /path/to/radius.key # randfile= /path/to/rnd # require_cert= "demand" } default_profile = "cn=default,ou=radiusprofiles,dc=x,dc=net" dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = radiusGroupName groupmembership_filter = "(&(uid=%{Stripped-User-Name:=%{User-Name}}))(objectclass=radiusProfile)" groupmembership_attribute = radiusGroupName password_attribute = userPassword password_header = "{crypt}" #auto_header = "yes" # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes compare_check_items = no do_xlat = no set_auth_type = yes #ldap_debug = 0x0028 } = modules/pap: pap { auto_header = yes } = DEBUG STARTUP # ../../sbin/radiusd -X FreeRADIUS Version 2.1.1, for host i386-unknown-freebsd7.0, built on Nov 1 2008 at 08:57:35 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/freeradius/etc/raddb/radiusd.conf including configuration file /usr/local/freeradius/etc/raddb/proxy.conf including configuration file /usr/local/freeradius/etc/raddb/clients.conf including files in directory /usr/local/freeradius/etc/raddb/modules/ including configuration file /usr/local/freeradius/etc/raddb/modules/acct_unique including configuration file /usr/local/freeradius/etc/raddb/modules/always including configuration file /usr/local/freeradius/etc/raddb/modules/attr_filter including configuration file /usr/local/freeradius/etc/raddb/modules/attr_rewrite including configuration file /usr/local/freeradius/etc/raddb/modules/chap including configuration file /usr/local/freeradius/etc/raddb/modules/checkval including configuration file /usr/local/freeradius/etc/raddb/modules/counter including configuration file /usr/local/freeradius/etc/raddb/modules/detail including configuration file /usr/local/freeradius/etc/raddb/modules/detail.example.com including configuration file /usr/local/freeradius/etc/raddb/modules/detail.log including configuration file /usr/local/freeradius/etc/raddb/modules/digest including configuration file /usr/local/freeradius/etc/raddb/modules/echo including configuration file /usr/local/freeradius/etc/raddb/modules/etc_group including configuration file /usr/local/freeradius/etc/raddb/modules/exec including configuration file /usr/local/freeradius/etc/raddb/modules/expiration including configuration file /usr/local/freeradius/etc/raddb/modules/expr including configuration file /usr/local/freeradius/etc/raddb/modules/files including configuration file /usr/local/freeradius/etc/raddb/modules/inner-eap including configuration file /usr/local/freeradius/etc/raddb/modules/ippool including configuration file /usr/local/freeradius/etc/raddb/modules/krb5 including configuration file /usr/local/freeradius/etc/raddb/modules/ldap including configuration file /usr/local/freeradius/etc/raddb/modules/linelog including configuration file /usr/local/freeradius/etc/raddb/modules/logintime including configuration file /usr/local/freeradius/etc/raddb/modules/mac2ip including configuration file /usr/local/freeradius/etc/raddb/modules/mac2vlan including configuration file /usr/local/freeradius/etc/raddb/modules/mschap including configuration file /usr/local/freeradius/etc/raddb/modules/pam including configuration file /usr/local/freeradius/etc/raddb/modules/pap including configuration file /usr/local/freeradius/etc/raddb/modules/passwd including configuration file /usr/local/freeradius/etc/raddb/modules/policy including configuration file /usr/local/freeradius/etc/raddb/modules/preprocess including configuration file /usr/local
Re: rlm_ldap and auto_header
Tim Palmer wrote: > With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP > server, and after putting in a Cleartext-Passwrod entry in > ldap.attrsmap, That's the issue. DON'T do that. > rlm_ldap would authorize fine, and everything seemed ok, > except I couldn't get pap to understand the encryption scheme: > > [pap] Found existing Auth-Type, not changing it. > ++[pap] returns noop > Found Auth-Type = PAP > +- entering group PAP {...} > [pap] login attempt with password "testing" > [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm." Because you told it that the userPassword LDAP field was a clear-text password. The PAP module is *supposed* to do the "auto-header" thing itself. It can't, becaue you told it that the above text WAS the password. > Is it only some odd ball, simplistic configurations like mine that this > should be required? I was unable to find any mention of this as an ldap > module setting except in rlm_ldap.c, which I didn't think to look in > until after the fact. The LDAP auto-header configuration is deprecated. The PAP module is supposed to do that work now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
I had a look at the code and from what I see password value should be added to a User-Password attribute. Can you post the whole debug with auto_header disabled in ldap (and enabled in pap). You haven't mapped userPassword to Cleartext-Password by any chance? Ivan Kalik Kalik Informatika ISP Dana 11/11/2008, "Tim Palmer" <[EMAIL PROTECTED]> piše: >[EMAIL PROTECTED] wrote: >>> No amount of changing settings in modules/pap and other config files >>> would help. I finally noticed in the rlm_ldap debug output "auto_headers >>> = no". >>> >>> So, I set auto_headers = yes in modules/ldap, and login passes. Remove >>> it, and login fails. >>> >>> >> >> Are you saying that if you enable auto_header in pap module >> authentication fails but if you enable it in ldap it works? >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >That is correct. I haven't yet tried disabling auto_header in pap module >with it enabled in ldap, but enable/disable in ldap module, with it set >in pap gives repeatable joy/no joy. >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
[EMAIL PROTECTED] wrote: No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output "auto_headers = no". So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails. Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That is correct. I haven't yet tried disabling auto_header in pap module with it enabled in ldap, but enable/disable in ldap module, with it set in pap gives repeatable joy/no joy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
>No amount of changing settings in modules/pap and other config files >would help. I finally noticed in the rlm_ldap debug output "auto_headers >= no". > >So, I set auto_headers = yes in modules/ldap, and login passes. Remove >it, and login fails. > Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html