?
Solved

FreeRadius, OpenLDAP, Samba, Libnss

Posted on 2006-11-06
2
Medium Priority
?
1,095 Views
Last Modified: 2008-03-03
I currently have OpenLDAP storing posixAccounts and sambaSamAccounts.  I am now trying to get my firewall/vpn authenticate remote vpn users off of the OpenLDAP server in some sort of a secure fashion (or any fashion at this point).  I have gotten FreeRadius to work properly for local unix accounts and partially for OpenLDAP posix accounts using clear text.  I am trying to get the VPN to utilize the sambaNTPassword attribute.  

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in <FOO BAR>, with filter (uid=efaden)
rlm_ldap: checking if remote access for <ME> is allowed by dialupAccess
rlm_ldap: Added password <sambaNTPassword String> in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNTPassword as NT-Password, value <sambaNTPassword String> & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value <sambaLMPassword String> & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user efaden authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1

That is the debugging output from FreeRadius.  This is what happens with the LDAP passwordAttribute set to sambaNTPassword.  What am I doing wrong?  I believe that mschap is not actually loading.  Anyone?
0
Comment
Question by:efaden
1 Comment
 
LVL 41

Accepted Solution

by:
noci earned 1500 total points
ID: 17888439
Many protocols use something known as Challenge/Response or certificate type
of information. These can only be handled if radius can replay this challenge/response (ie it get the challenge & response from the NAS (firewall, vpn device) using challange + unencrypted password should yield the same response.
 if equal the password fitted, if not then alas, a different password was used at the
NAS's end.

Also have you looked (with google, at the freeradius mailing list?)
There is a lot of information there.

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question