(RADIATOR) ldap auth problem
Hugh Irvine
hugh at open.com.au
Wed Jan 18 15:34:52 CST 2006
Hello Alex -
What is shown in the packet dumps preceding the debug you show below
- specifically what format is the incoming password in?
Any form of CHAP/MSCHAP will not work with encrypted passwords in
your LDAP database (but as you have seen cleartext will).
regards
Hugh
On 18 Jan 2006, at 22:08, Alexander Sharaz wrote:
> Chaps,
>
> Yesterday I was using
> <AuthBy LDAP2>
> Identifier checkByLdap
> Version 3
> Host slb-ldap.hull.ac.uk
> BaseDN ou=People,dc=ldapauth
> Scope subtree
> UsernameAttr uid
> PasswordAttr UserPassword
> AuthDN cn=FRED, dc=FRED
> AuthPassword FRED
> HoldServerConnection
> Debug 255
> AddToReplyIfNotExist
> Tunnel-Type=VLAN,Tunnel-Medium-Type=Ether_802,Tunnel-Private-Group-
> ID=74
> 0
> EAPType TTLS,PEAP,MSCHAP-V2,MD5-Challenge,TLS
> EAPTLS_CAFile /etc/radiator/certificates/chain.pem
> EAPTLS_CertificateFile /etc/radiator/certificates/chain.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/certificates/server.key
> EAPTLS_PrivateKeyPassword
> AutoMPPEKeys
> Debug 255
> </AuthBy>
> To authenticate my Odyssey test pc to our ldap server. And everything
> worked.
>
> Today, I changed my password on the ldap server ( which hasn't been
> changed for about a year) after which any authentication fails.
> All my (java) based progs on the same system work just fine against
> the
> new password and proxying off to another standby radius server
> which has
> the same password also works. I think the change is that my password
> used to be in the LDAP server as cleartext and is now there in the
> form
> {crypt}<whatever it is>
>
> I'm running Radiator 3.14 on a RHEL4 server
>
> It's been suggested that I need to recompile the ldap libraries with a
> crypt option.
>
> Does that sound right?
>
> Here's the radiator logfile:-
>
> Wed Jan 18 10:50:31 2006: DEBUG: Handling with Radius::AuthLDAP2:
> checkByLdap
> Wed Jan 18 10:50:31 2006: INFO: Connecting to slb-ldap.hull.ac.uk,
> port
> 389
> Wed Jan 18 10:50:31 2006: INFO: Attempting to bind to LDAP server
> slb-ldap.hull.ac.uk:389
> Wed Jan 18 10:50:31 2006: DEBUG: LDAP got result for
> uid=ccsas,ou=People,dc=ldapauth
> Wed Jan 18 10:50:31 2006: DEBUG: LDAP got userPassword:
> {crypt}4EeG/zDTPf976
> Wed Jan 18 10:50:31 2006: DEBUG: Radius::AuthLDAP2 looks for match
> with
> ccsas [ccsas]
> Wed Jan 18 10:50:31 2006: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Password:
> ccsas [ccsas]
> Wed Jan 18 10:50:31 2006: DEBUG: No entries for DEFAULT found in LDAP
> database
> Wed Jan 18 10:50:31 2006: DEBUG: AuthBy LDAP2 result: REJECT, Bad
> Password
> Wed Jan 18 10:50:31 2006: INFO: Access rejected for ccsas: Bad
> Password
> Wed Jan 18 10:50:31 2006: DEBUG: Returned TTLS tunnelled Diameter
> Packet
> dump:
> Code: Access-Reject
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list