Solved

FreeRadius, OpenLDAP, Samba, Libnss

Posted on 2006-11-06
2
1,041 Views
Last Modified: 2008-03-03
I currently have OpenLDAP storing posixAccounts and sambaSamAccounts.  I am now trying to get my firewall/vpn authenticate remote vpn users off of the OpenLDAP server in some sort of a secure fashion (or any fashion at this point).  I have gotten FreeRadius to work properly for local unix accounts and partially for OpenLDAP posix accounts using clear text.  I am trying to get the VPN to utilize the sambaNTPassword attribute.  

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in <FOO BAR>, with filter (uid=efaden)
rlm_ldap: checking if remote access for <ME> is allowed by dialupAccess
rlm_ldap: Added password <sambaNTPassword String> in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNTPassword as NT-Password, value <sambaNTPassword String> & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value <sambaLMPassword String> & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user efaden authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1

That is the debugging output from FreeRadius.  This is what happens with the LDAP passwordAttribute set to sambaNTPassword.  What am I doing wrong?  I believe that mschap is not actually loading.  Anyone?
0
Comment
Question by:efaden
2 Comments
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
Comment Utility
Many protocols use something known as Challenge/Response or certificate type
of information. These can only be handled if radius can replay this challenge/response (ie it get the challenge & response from the NAS (firewall, vpn device) using challange + unencrypted password should yield the same response.
 if equal the password fitted, if not then alas, a different password was used at the
NAS's end.

Also have you looked (with google, at the freeradius mailing list?)
There is a lot of information there.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now