Re: rlm_ldap and auto_header
Alan DeKok wrote:
Tim Palmer wrote:
Full disclosure - I did try an install from ports, then removed the port
and rerun ldconfig. I did not recompile/install freeradius after the
port excercise.
===
Why yes, I did map Cleartext-Password, since the debug error ( and
various list postings) seemed clear on that:
ldap.attrmap:
checkItem Cleartext-Password userPassword
Don't do this. Delete this line. It's the SOURCE of all the problems.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To no one's surprise, you all are correct that auto_header shouldn't be
needed in the ldap module. The Cleartext-Password mapping didn't help,
but my base, original problem was carrying over a "password_header =
"{crypt}" entry in the ldap module from our old (1.0.1) configuration.
Thanks for making it clear I shouldn't accept something just because it
works, if it isn't how it should work.
--
Tim Palmer
BestWeb Support
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Tim Palmer wrote: > Full disclosure - I did try an install from ports, then removed the port > and rerun ldconfig. I did not recompile/install freeradius after the > port excercise. > === > Why yes, I did map Cleartext-Password, since the debug error ( and > various list postings) seemed clear on that: > > ldap.attrmap: > checkItem Cleartext-Password userPassword Don't do this. Delete this line. It's the SOURCE of all the problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Le mercredi 12 novembre 2008 04:21, lolo a écrit : > > As said Alan Devok : !!! Alan Dekok !!! :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Le mardi 11 novembre 2008 20:48, Tim Palmer a écrit :
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = PAP
> +- entering group PAP {...}
> [pap] login attempt with password "testing"
> [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm."
> [pap] Passwords don't match
For me there's no sense to have :
[pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm."
Is your clear text password is {crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm. ?
No ?
As said Alan Devok :
Because you told it that the userPassword LDAP field was a clear-text
password. The PAP module is *supposed* to do the "auto-header" thing
itself. It can't, because you told it that the above text WAS the password.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
[EMAIL PROTECTED] wrote: Why yes, I did map Cleartext-Password, since the debug error ( and various list postings) seemed clear on that: ldap.attrmap: checkItem Cleartext-Password userPassword OK. Debug will moan about using User-Password if you are using clear text password. It will moan, replace it with Cleartext-Password - and things will still work. If you are using clear text passwords you can do this mapping to shut it up. Better practice would be to map it to something like radiusCleartextPassword and copy userPassword field there. But mapping encrypted passwords to Cleartext-Password is clearly wrong. Remove that mapping and auto_headers in pap will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html What you say makes complete sense, but its still not working for me unless I have ldap do the auto_header. However, I'd done several things with this machine in this process, so I'm going to rebuild it and start from scratch, now that I am clear on exactly how this bit is supposed to work. Thank you for your input, tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
>Why yes, I did map Cleartext-Password, since the debug error ( and >various list postings) seemed clear on that: > >ldap.attrmap: >checkItem Cleartext-Password userPassword OK. Debug will moan about using User-Password if you are using clear text password. It will moan, replace it with Cleartext-Password - and things will still work. If you are using clear text passwords you can do this mapping to shut it up. Better practice would be to map it to something like radiusCleartextPassword and copy userPassword field there. But mapping encrypted passwords to Cleartext-Password is clearly wrong. Remove that mapping and auto_headers in pap will work. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
Full disclosure - I did try an install from ports, then removed the port
and rerun ldconfig. I did not recompile/install freeradius after the
port excercise.
===
Why yes, I did map Cleartext-Password, since the debug error ( and
various list postings) seemed clear on that:
ldap.attrmap:
checkItem Cleartext-Password userPassword
==
modules/ldap:
ldap {
server = "xxx.xxx.xxx.xxx"
identity = "cn=radiusd,ou=services,dc=,dc=net"
password = x
basedn = "ou=.net,ou=domains,dc=x,dc=net"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 10
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir= /path/to/ca/dir/
# certfile= /path/to/radius.crt
# keyfile= /path/to/radius.key
# randfile= /path/to/rnd
# require_cert= "demand"
}
default_profile = "cn=default,ou=radiusprofiles,dc=x,dc=net"
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = radiusGroupName
groupmembership_filter =
"(&(uid=%{Stripped-User-Name:=%{User-Name}}))(objectclass=radiusProfile)"
groupmembership_attribute = radiusGroupName
password_attribute = userPassword
password_header = "{crypt}"
#auto_header = "yes"
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
compare_check_items = no
do_xlat = no
set_auth_type = yes
#ldap_debug = 0x0028
}
=
modules/pap:
pap {
auto_header = yes
}
=
DEBUG STARTUP
# ../../sbin/radiusd -X
FreeRADIUS Version 2.1.1, for host i386-unknown-freebsd7.0, built on
Nov 1 2008 at 08:57:35
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/freeradius/etc/raddb/radiusd.conf
including configuration file /usr/local/freeradius/etc/raddb/proxy.conf
including configuration file /usr/local/freeradius/etc/raddb/clients.conf
including files in directory /usr/local/freeradius/etc/raddb/modules/
including configuration file
/usr/local/freeradius/etc/raddb/modules/acct_unique
including configuration file /usr/local/freeradius/etc/raddb/modules/always
including configuration file
/usr/local/freeradius/etc/raddb/modules/attr_filter
including configuration file
/usr/local/freeradius/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/freeradius/etc/raddb/modules/chap
including configuration file
/usr/local/freeradius/etc/raddb/modules/checkval
including configuration file /usr/local/freeradius/etc/raddb/modules/counter
including configuration file /usr/local/freeradius/etc/raddb/modules/detail
including configuration file
/usr/local/freeradius/etc/raddb/modules/detail.example.com
including configuration file
/usr/local/freeradius/etc/raddb/modules/detail.log
including configuration file /usr/local/freeradius/etc/raddb/modules/digest
including configuration file /usr/local/freeradius/etc/raddb/modules/echo
including configuration file
/usr/local/freeradius/etc/raddb/modules/etc_group
including configuration file /usr/local/freeradius/etc/raddb/modules/exec
including configuration file
/usr/local/freeradius/etc/raddb/modules/expiration
including configuration file /usr/local/freeradius/etc/raddb/modules/expr
including configuration file /usr/local/freeradius/etc/raddb/modules/files
including configuration file
/usr/local/freeradius/etc/raddb/modules/inner-eap
including configuration file /usr/local/freeradius/etc/raddb/modules/ippool
including configuration file /usr/local/freeradius/etc/raddb/modules/krb5
including configuration file /usr/local/freeradius/etc/raddb/modules/ldap
including configuration file /usr/local/freeradius/etc/raddb/modules/linelog
including configuration file
/usr/local/freeradius/etc/raddb/modules/logintime
including configuration file /usr/local/freeradius/etc/raddb/modules/mac2ip
including configuration file
/usr/local/freeradius/etc/raddb/modules/mac2vlan
including configuration file /usr/local/freeradius/etc/raddb/modules/mschap
including configuration file /usr/local/freeradius/etc/raddb/modules/pam
including configuration file /usr/local/freeradius/etc/raddb/modules/pap
including configuration file /usr/local/freeradius/etc/raddb/modules/passwd
including configuration file /usr/local/freeradius/etc/raddb/modules/policy
including configuration file
/usr/local/freeradius/etc/raddb/modules/preprocess
including configuration file /usr/local
Re: rlm_ldap and auto_header
Tim Palmer wrote:
> With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP
> server, and after putting in a Cleartext-Passwrod entry in
> ldap.attrsmap,
That's the issue. DON'T do that.
> rlm_ldap would authorize fine, and everything seemed ok,
> except I couldn't get pap to understand the encryption scheme:
>
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = PAP
> +- entering group PAP {...}
> [pap] login attempt with password "testing"
> [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm."
Because you told it that the userPassword LDAP field was a clear-text
password. The PAP module is *supposed* to do the "auto-header" thing
itself. It can't, becaue you told it that the above text WAS the password.
> Is it only some odd ball, simplistic configurations like mine that this
> should be required? I was unable to find any mention of this as an ldap
> module setting except in rlm_ldap.c, which I didn't think to look in
> until after the fact.
The LDAP auto-header configuration is deprecated. The PAP module is
supposed to do that work now.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
I had a look at the code and from what I see password value should be added to a User-Password attribute. Can you post the whole debug with auto_header disabled in ldap (and enabled in pap). You haven't mapped userPassword to Cleartext-Password by any chance? Ivan Kalik Kalik Informatika ISP Dana 11/11/2008, "Tim Palmer" <[EMAIL PROTECTED]> piše: >[EMAIL PROTECTED] wrote: >>> No amount of changing settings in modules/pap and other config files >>> would help. I finally noticed in the rlm_ldap debug output "auto_headers >>> = no". >>> >>> So, I set auto_headers = yes in modules/ldap, and login passes. Remove >>> it, and login fails. >>> >>> >> >> Are you saying that if you enable auto_header in pap module >> authentication fails but if you enable it in ldap it works? >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >That is correct. I haven't yet tried disabling auto_header in pap module >with it enabled in ldap, but enable/disable in ldap module, with it set >in pap gives repeatable joy/no joy. >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
[EMAIL PROTECTED] wrote: No amount of changing settings in modules/pap and other config files would help. I finally noticed in the rlm_ldap debug output "auto_headers = no". So, I set auto_headers = yes in modules/ldap, and login passes. Remove it, and login fails. Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That is correct. I haven't yet tried disabling auto_header in pap module with it enabled in ldap, but enable/disable in ldap module, with it set in pap gives repeatable joy/no joy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap and auto_header
>No amount of changing settings in modules/pap and other config files >would help. I finally noticed in the rlm_ldap debug output "auto_headers >= no". > >So, I set auto_headers = yes in modules/ldap, and login passes. Remove >it, and login fails. > Are you saying that if you enable auto_header in pap module authentication fails but if you enable it in ldap it works? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
