Phil Mayers wrote:
Bear in mind that rlm_ldap has some quite complex password processing
rules hard-coded into the source. In particular, I think that code
still, incorrectly, uses PW_USER_PASSWORD as the attribute, then
overrides it based on the presence and value of a {type} header:
On 08/16/2012 05:58 AM, Fajar A. Nugraha wrote:
https://github.com/alandekok/freeradius-server/blob/v2.1.x/src/modules/rlm_ldap/rlm_ldap.c#L1545
In particular, AFAICT if password_attribute is set, and auto_header is
unset, then the attribute added will be User-Password.
Hmm ... I wonder if
On 08/16/2012 08:00 AM, Alan DeKok wrote:
Phil Mayers wrote:
Bear in mind that rlm_ldap has some quite complex password processing
rules hard-coded into the source. In particular, I think that code
still, incorrectly, uses PW_USER_PASSWORD as the attribute, then
overrides it based on the
16 aug 2012 kl. 13:02 skrev Phil Mayers p.may...@imperial.ac.uk:
Oh totally - I'm not suggesting fiddling with the existing code, just noting
that the reason the OP was getting the warning about User-Password versus
Cleartext-Password was (I guess) rlm_ldap doing it, rather than anything he
Phil Mayers wrote:
On a wider node, I wonder if the code inside rlm_ldap for
password_header is even useful anymore - rlm_pap has support for
auto-detecting the header, so it's just duplication.
Yes. The LDAP auto-header code has been deprecated for ~5 years. It
will go away in version 3.
Hi everyone.
This is my first post to this list.
I have set up freeradius (V2.1.12) together with openldap (V2.4.31) and so with
some success I think.
But I have to say that setting this up using only users-file was a breeze.
Setting up freeradius with ldap not so simple.
I am using cleartext
-file was a breeze.
Setting up freeradius with ldap not so simple.
I am using cleartext password in ldap. I am not using any special schema for
freeradius in my ldap-setup.
My problem is something I noticed many other users has struggled with and
that is this part from my debug output:
++[pap
Hi.
15 aug 2012 kl. 16:01 skrev Fajar A. Nugraha l...@fajar.net:
Does your ldap.attrmap look like this?
https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/ldap.attrmap
In particular look for Password-With-Header
Yes it look the same exactly.
I guess you are referring to this
I have to correct my self.
The third column is the LDAP-name so that can't be it. I mean that is the
container where the password is saved.
Or am I missing something here?
/Sonny
15 aug 2012 kl. 16:51 skrev Sonny Taberman sonny.taber...@lan-master.eu:
Hi.
15 aug 2012 kl. 16:01 skrev Fajar
On 15/08/12 15:51, Sonny Taberman wrote:
Hi.
15 aug 2012 kl. 16:01 skrev Fajar A. Nugraha l...@fajar.net
mailto:l...@fajar.net:
Does your ldap.attrmap look like this?
https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/ldap.attrmap
In particular look for Password-With-Header
On Wed, Aug 15, 2012 at 9:54 PM, Sonny Taberman
sonny.taber...@lan-master.eu wrote:
I have to correct my self.
The third column is the LDAP-name so that can't be it. I mean that is the
container where the password is saved.
Or am I missing something here?
Something is setting User-Password
On 15/08/12 16:13, Fajar A. Nugraha wrote:
Something is setting User-Password check item. If you store the
Bear in mind that rlm_ldap has some quite complex password processing
rules hard-coded into the source. In particular, I think that code
still, incorrectly, uses PW_USER_PASSWORD as
15 aug 2012 kl. 17:08 skrev Phil Mayers p.may...@imperial.ac.uk:
That depends. Can you give an example, suitably redacted, of what one of the
LDAP entries looks like?
e.g. does it look like this:
dn: cn=user,ou=blah
userPassword: someplaintext
...or what?
It looks exactly like
Hi. Fajar.
Thanks so much for your help.
You helped me to find the problem.
In ldap.attrmap I changed this line:
checkitem Password-With-HeaderuserPassword
to this line:
checkitem Cleartext-Password userPassword
And now I can not see any error in the debug
On Wed, Aug 15, 2012 at 10:45 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 15/08/12 16:13, Fajar A. Nugraha wrote:
Something is setting User-Password check item. If you store the
Bear in mind that rlm_ldap has some quite complex password processing rules
hard-coded into the source. In
Hello,
we have freeradius-2.1.8 running, with openldap-2.3.43 as backend.
in ldap we have three attributes (radiusTunnelMediumType=IEEE-802,
radiusTunnelType=VLAN, and radiusTunnelPrivateGroupId=[vlan-id]),
freeradius maps the ldap-attributes to radius-attributes.
We have three vlans, one
Meister, Frank wrote:
after assigning the 1st VLAN on our cisco aironet 1242 accesspoints
to the SSID - clicking Apply, assigning the 2nd VLAN - click Apply,
assigning the 3rd VLAN, click Apply it works fine.
(I mean manual assigning VLANs using web-interface)
? This has nothing to do with
Am Donnerstag, 27. Mai 2010 18:42:29 schrieb Meister, Frank:
Hello,
we have freeradius-2.1.8 running, with openldap-2.3.43 as backend.
in ldap we have three attributes (radiusTunnelMediumType=IEEE-802,
radiusTunnelType=VLAN, and radiusTunnelPrivateGroupId=[vlan-id]),
freeradius maps the ldap
LDAP from the FreeRADIUS configuration?
LDAP user account works.
Please help me with some hints for finding this problem.
Use strace to see what it's doing, and where it's blocking.
Odds are that FreeRADIUS is doing a system call, and the OS is never
returning. Fix the OS, and FreeRADIUS
Freeradius: 2.1.6 OS: Open Suse 11.0 LDAP 2.4.9
Problem is when running radiusd in forground with logging:
Thread spawned new child 1. Total threads in pool: 1
Thread 1 waiting to be assigned a request
Thread pool initialized
radiusd: Opening IP addresses and Ports
listen {
type
Hello All,
Excuse me for my lack of knowledge with Linux and FreeRadius. I hardly have
any experience and I've been using version 1.1.3 for the past few weeks and
had authentication working properly for Cisco devices. I decided to install
the latest version 2.1.4 and forgot to save all my
Am Dienstag, 24. März 2009 15:58:09 schrieb Edwin Isada:
Hello All,
Excuse me for my lack of knowledge with Linux and FreeRadius. I hardly
have any experience and I've been using version 1.1.3 for the past few
weeks and had authentication working properly for Cisco devices. I decided
to
Excuse me for my lack of knowledge with Linux and FreeRadius. I hardly have
any experience and I've been using version 1.1.3 for the past few weeks and
had authentication working properly for Cisco devices. I decided to install
the latest version 2.1.4 and forgot to save all my configuration for
Edwin Isada wrote:
Hello All,
Excuse me for my lack of knowledge with Linux and FreeRadius. I hardly
have any experience and I've been using version 1.1.3 for the past few
weeks and had authentication working properly for Cisco devices. I
decided to install the latest version 2.1.4 and
Thanks for all the info and missed reading the comments at the end of the
radiusd.conf. I uncommented out the ldap portions of
/usr/local/etc/raddb/sites-enabled. My config in modules section is
ldap {
server = ciq-dc1.ciq.com
port = 636
Am Dienstag, 24. März 2009 17:29:26 schrieb Edwin Isada:
Thanks for all the info and missed reading the comments at the end of the
radiusd.conf. I uncommented out the ldap portions of
/usr/local/etc/raddb/sites-enabled. My config in modules section is
ldap {
server
Le mercredi 06 février 2008, Alan DeKok a écrit :
Thierry CHICH wrote:
However, it the accounting is always done with the outer identity
...
Login OK: [EMAIL PROTECTED]/] (from client
ap-rectorat02 port 0)
+- entering group post-auth
expand: %{request.User-Name} -
Thierry CHICH wrote:
You are right. I think this typo is in the original file inner-tunnel
included
in the distrib,
Yes, I've fixed it.
but it work better - but not as I want. Now, I have a good
Access-Accept packet, but it is seems that the accounting-request following
don't care.
Le jeudi 07 février 2008, Alan DeKok a écrit :
Thierry CHICH wrote:
You are right. I think this typo is in the original file inner-tunnel
included in the distrib,
Yes, I've fixed it.
but it work better - but not as I want. Now, I have a good
Access-Accept packet, but it is seems that
Hello,
I know that my problem is so simple that I should be ashamed to ask help, but
I have to say that I can't find a good way to do what I want to do.
With the previous release of freeradius 1.1.7, I could do the following
things:
- people with a correct outer identity and inner identity
hi Thierry,
on your /etc/raddb/users file, you can put the follwing to copy the
inner identity to the outer identity (works with freeradius 1 and 2):
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`,
Fall-Through = yes
Thierry CHICH [EMAIL PROTECTED] a
Thierry CHICH wrote:
With the previous release of freeradius 1.1.7, I could do the following
things:
- people with a correct outer identity and inner identity (login/password)
could be authorized and authenticate on a LDAP server, using an EAP-TTLS
tunnel, obtained a WPA key.
- with the
Le mercredi 06 février 2008, Alan DeKok a écrit :
Thierry CHICH wrote:
With the previous release of freeradius 1.1.7, I could do the following
things:
- people with a correct outer identity and inner identity
(login/password) could be authorized and authenticate on a LDAP server,
using
Thierry CHICH wrote:
However, it the accounting is always done with the outer identity
...
Login OK: [EMAIL PROTECTED]/] (from client ap-rectorat02
port 0)
+- entering group post-auth
expand: %{request.User-Name} -
That's a typo. It should be ... %{request:User-Name}
Thank you to this list! I am posting snips from my users,
radiusd.conf and huntgroup files that work.
** huntgroups **
admin NAS-IP-Address == 192.168.1.1
Session-Timeout = 60,
Idle-Timeout = 30
public NAS-IP-Address ==
Hi,
I have 4 NAS-IP-Addresses.
My users are split into 6 groups (some are in multiple
groups): public, faculty, staff, student, vpn, and admin.
I would like the users to get access to the NAS by virtue of
being in a group.
192.168.1.1
admin
192.168.1.2
vpn
I know this question has been asked many times before. I have searched
the archives and I have tried what I've found there, but I can't seem to
get this working.
RedHat EL 4 (managed through RHN, so latest available versions)
freeradius-1.0.1-3
openldap-2.2.13-6
I have 4 NAS-IP-Addresses.
My
Is there a mechanisme with LDAP authentification that I don't
Understand ? According to me as soon as freeradius found in LDAP the
user with the right password it should authorize acess.
this is my radiusd.conf (samples)
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use
check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
Auth-Type LDAP {
ldap
}
Read the comments.
with LDAP authentification that I don't Understand ? According to me
as soon as freeradius
All,
Is it possible to have freeradius bind to ldap using the username and
password provided in the access-request?
For example in the ldap module have some sort of variable in the Identity=
field.
Thank you
Corey
attachment: winmail.dat-
List info/subscribe/unsubscribe? See http
[EMAIL PROTECTED] (Corey Burks) wrote:
Is it possible to have freeradius bind to ldap using the username and
password provided in the access-request?
Yes. The server does this by simply enabling LDAP.
Alan DEKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
I have freeradius and LDAP authenticating nicely. The problem I am
running into is that when I id a user, it only shows the primary group
that user is a member of. How can I get FreeRadius to report the other
groups that the user belongs to?
Mark Litchfield
Sorry I don't understand. Can you
|_uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
I have freeradius and LDAP authenticating nicely. The problem I am
running into is that when I id a user, it only shows the primary group
that user is a member of. How can I get FreeRadius to report the other
groups that the user belongs
: group3
| uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot
|_uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
I have freeradius and LDAP authenticating nicely. The problem I am
running into is that when I id a user, it only shows the primary group
that user is a member
Adi Nugraha [EMAIL PROTECTED]
04/11/2005 11:44 PM
To:
freeradius-users@lists.freeradius.org,
Douglas Sterner [EMAIL PROTECTED]
cc:
samba@lists.samba.org, [EMAIL PROTECTED]
Fax
to:
Subject:
Re: [Samba] Time to give back, Samba
LDAP with FreeRadius
Hi
I'd like
If this is off topic I apologize in
advance. Using Samba 3.0.13 with an LDAP back-end and FreeRadius I was
trying to add the Radius schema and kept getting object class violations.
It's my limited understanding of LDAP that you can not have more than one
structural objectclass. I'm no ldap expert
Hell Justin.
Dne etrtek 24 februar 2005 15:36 je Justin Guidroz napisal(a):
TTLS + PAP has worked for me out of the box with FreeRADIUS. The only
changes I have made to the EAP settings is to point FreeRADIUS to my
server certificates. The server does the rest.
There is more to seting up
Rok Papez [EMAIL PROTECTED] wrote:
Dne =C4=8Detrtek 24 februar 2005 15:36 je Justin Guidroz napisal(a):
TTLS + PAP has worked for me out of the box with FreeRADIUS. The only
changes I have made to the EAP settings is to point FreeRADIUS to my
server certificates. The server does the rest.
TTLS + PAP has worked for me out of the box with FreeRADIUS. The only
changes I have made to the EAP settings is to point FreeRADIUS to my
server certificates. The server does the rest.
Justin
On Thu, 24 Feb 2005 08:18:48 +0100, Rok Papez [EMAIL PROTECTED] wrote:
Hello Chan Min Wai.
Dne
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rok Papez wrote:
Hello Chan Min Wai.
Dne etrtek 24 februar 2005 07:28 je Chan Min Wai napisal(a):
Anyone have a good documentation on this part?
I have some documentation (system set-up instructions). If it's
any good for you, you'll
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Greeting,
Anyone have a good documentation on this part?
I've correctly make my freeradius work with EAP_MD5
although, I need to specify the auth-type to EAP otherwise the auth
don't really work EAP. (Might suspecting it a config problem problem)
Hello Chan Min Wai.
Dne etrtek 24 februar 2005 07:28 je Chan Min Wai napisal(a):
Anyone have a good documentation on this part?
I have some documentation (system set-up instructions). If it's
any good for you, you'll have to judge by yourself.
I've correctly make my freeradius work with
52 matches
Mail list logo