Solved

FreeRadius, OpenLDAP, Samba, Libnss

Posted on 2006-11-06
2
1,051 Views
Last Modified: 2008-03-03
I currently have OpenLDAP storing posixAccounts and sambaSamAccounts.  I am now trying to get my firewall/vpn authenticate remote vpn users off of the OpenLDAP server in some sort of a secure fashion (or any fashion at this point).  I have gotten FreeRadius to work properly for local unix accounts and partially for OpenLDAP posix accounts using clear text.  I am trying to get the VPN to utilize the sambaNTPassword attribute.  

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in <FOO BAR>, with filter (uid=efaden)
rlm_ldap: checking if remote access for <ME> is allowed by dialupAccess
rlm_ldap: Added password <sambaNTPassword String> in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNTPassword as NT-Password, value <sambaNTPassword String> & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value <sambaLMPassword String> & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user efaden authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1

That is the debugging output from FreeRadius.  This is what happens with the LDAP passwordAttribute set to sambaNTPassword.  What am I doing wrong?  I believe that mschap is not actually loading.  Anyone?
0
Comment
Question by:efaden
2 Comments
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 17888439
Many protocols use something known as Challenge/Response or certificate type
of information. These can only be handled if radius can replay this challenge/response (ie it get the challenge & response from the NAS (firewall, vpn device) using challange + unencrypted password should yield the same response.
 if equal the password fitted, if not then alas, a different password was used at the
NAS's end.

Also have you looked (with google, at the freeradius mailing list?)
There is a lot of information there.

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question