(RADIATOR) LDAP2 servercheckpassword
Barry Ard
barry.ard at ualberta.ca
Tue Jun 17 16:01:49 CDT 2008
I am having problems getting eduroam working in oiur environment. We use
radiator to successfully authenticate local users using PEAP and
EAP-TTLS eap types. Our handlers authenticate against an ldap directory
server that store nthash passwords in the case of PEAP and bind to ldap
in the case of TTLS. This works locally.
The TTLS handler looks like:
<AuthBy LDAP2>
Identifier LDAPAuthTTLS
Host directory.srv.ualberta.ca
BaseDN ou=people,dc=ualberta,dc=ca
HoldServerConnection
ServerChecksPassword
UsernameMatchesWithoutRealm yes
UseSSL
SSLVerify require
SSLCAPath /etc/ssl/certs
EAPType TTLS
EAPTLS_CAPath /etc/ssl/certs
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /etc/ssl/public/%h.crt
EAPTLS_PrivateKeyFile /etc/ssl/private/%h.key
EAPTLS_RandomFile %D/random
EAPTLS_MaxFragmentSize 1024
EAPTTLS_NoAckRequired
AutoMPPEKeys
</AuthBy>
Now that I am trying to get eduroam working, remote clients, using TTLS
give this error in the log:
Tue Jun 17 14:27:30 2008: DEBUG: EAP TTLS inner authentication request
for XXXXXXXX at ualberta.ca
Tue Jun 17 14:27:30 2008: DEBUG: Handling request with Handler
'TunnelledByTTLS=1, Realm=/ualberta\.ca/i'
Tue Jun 17 14:27:30 2008: DEBUG: Deleting session for
XXXXXXXX at ualberta.ca, 136.159.77.203,
Tue Jun 17 14:27:30 2008: DEBUG: Handling with Radius::AuthLDAP2:
LDAPAuthTTLS
Tue Jun 17 14:27:30 2008: INFO: Connecting to directory.srv.ualberta.ca:636
Tue Jun 17 14:27:30 2008: INFO: Attempting to bind to LDAP server
directory.srv.ualberta.ca:636
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got result for
uid=XXXXXXXX,ou=people,dc=ualberta,dc=ca
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got cn: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got gidNumber: 99
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got givenName: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got homeDirectory:
/afs/ualberta.ca/home/a/p/XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got mail: XXXXXXXX at ualberta.ca
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got sn: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got uid: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got uidNumber: 33657
Tue Jun 17 14:27:30 2008: DEBUG: LDAP got displayName: XXXXXXXX
Tue Jun 17 14:27:30 2008: DEBUG: Radius::AuthLDAP2 looks for match with
XXXXXXXX [XXXXXXXX at ualberta.ca]
Tue Jun 17 14:27:30 2008: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted
password: XXXXXXXX [XXXXXXXX at ualberta.ca]
Tue Jun 17 14:27:30 2008: DEBUG: No entries for DEFAULT found in LDAP
database
Tue Jun 17 14:27:30 2008: DEBUG: AuthBy LDAP2 result: REJECT, Bad
Encrypted password
Tue Jun 17 14:27:30 2008: INFO: Access rejected for
XXXXXXXX at ualberta.ca: Bad Encrypted password
I should note that PEAP isn't working at this point either but I
thought if a handler specifies 'ServerCheckPassword' and the log shows a
successful bind then authentication is sucessful. What's up with:
Radius::AuthLDAP2 looks for match with XXXXXXXX [XXXXXXXX at ualberta.ca]
Radius::AuthLDAP2 REJECT: Bad Encrypted password: XXXXXXXX
[XXXXXXXX at ualberta.ca]
--
=================================================================
Barry Ard barry.ard at ualberta.ca
Network Operations
Academic Information and Communication Technologies (AICT)
University of Alberta
Edmonton, Alberta Canada
This communication is intended for the use of the recipient to which it
is addressed, and may contain confidential, personal, and/or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication. If you are not the intended recipient
of this communication, do not copy, distribute, or take action on it.
Any communication received in error, or subsequent reply, should be
deleted or destroyed.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list