> Dana 5/3/2007, "Tim Tyler" <[EMAIL PROTECTED]> pi?e: > >> Freeradius experts, >> I am trying to configure freeradius to use openldap as a backend >> for authentication, but I can't seem to get the passwords to >> authenticate. It seems to have no problem binding and finding the >> username (uid). I am using crypt passwords in the ldap userPassword field: >> userPassword:: e1NTSEF9aXBWQklEYnZYSU9RdWl2V0ZtdGR5MWxIWFFsZWVCMjQ= >> >> I am not using any radius attributes. I simply want to allow any >> uid to authenticate. I get these results: >> >> rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 >> User-Name = "tylertj" >> User-Password = "xxxxxx" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 >> rlm_ldap: - authorize >> rlm_ldap: performing user authorization for tylertj >> rlm_ldap: ldap_get_conn: Checking Id: 0 >> rlm_ldap: ldap_get_conn: Got Id: 0 >> rlm_ldap: (re)connect to ldap.beloit.edu:389, authentication 0 >> rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/cacert.cer >> rlm_ldap: starting TLS >> rlm_ldap: bind as / to ldap.beloit.edu:389 >> rlm_ldap: waiting for bind result ... >> rlm_ldap: Bind was successful >> rlm_ldap: looking for check items in directory... >> rlm_ldap: looking for reply items in directory... >> rlm_ldap: user tylertj authorized to use remote access >> rlm_ldap: ldap_release_conn: Release Id: 0 >> rad_recv: Access-Request packet from host 144.89.40.8:59881, id=60, length=59 >> Sending Access-Reject of id 60 to 144.89.40.8:59881 >> >> >> What might I be doing wrong? I presume that the ldap server >> doesn't have to store the passwords in plain text, correct? I can >> store them in md5 or SHA1 hash if I want, correct? I did uncomment: >> >> authenticate { >> Auth-Type LDAP { >> ldap >> } >> >> Am I wrong to think this is now a password issue? >> Tim >> >> >> >> >> >> Tim Tyler >> Network Engineer - Beloit College >> [EMAIL PROTECTED] >>
You need to prefix your crypt password with {crypt}, else LDAP won't know which hashing scheme your using, and when you attempt a v3 bind it'll treat your crypted password as plaintext. Also, in order to use crypted password you'll need a authentication mechanism that supports reversible encryption, like PAP or GTC. -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication Authorisation & Accounting Officer Unversity of Sussex | Infrastructure Services ++441273873900/ext:3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html