Solved

FreeRadius, OpenLDAP, Samba, Libnss

Posted on 2006-11-06
2
1,063 Views
Last Modified: 2008-03-03
I currently have OpenLDAP storing posixAccounts and sambaSamAccounts.  I am now trying to get my firewall/vpn authenticate remote vpn users off of the OpenLDAP server in some sort of a secure fashion (or any fashion at this point).  I have gotten FreeRadius to work properly for local unix accounts and partially for OpenLDAP posix accounts using clear text.  I am trying to get the VPN to utilize the sambaNTPassword attribute.  

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in <FOO BAR>, with filter (uid=efaden)
rlm_ldap: checking if remote access for <ME> is allowed by dialupAccess
rlm_ldap: Added password <sambaNTPassword String> in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaNTPassword as NT-Password, value <sambaNTPassword String> & op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value <sambaLMPassword String> & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user efaden authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1

That is the debugging output from FreeRadius.  This is what happens with the LDAP passwordAttribute set to sambaNTPassword.  What am I doing wrong?  I believe that mschap is not actually loading.  Anyone?
0
Comment
Question by:efaden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 17888439
Many protocols use something known as Challenge/Response or certificate type
of information. These can only be handled if radius can replay this challenge/response (ie it get the challenge & response from the NAS (firewall, vpn device) using challange + unencrypted password should yield the same response.
 if equal the password fitted, if not then alas, a different password was used at the
NAS's end.

Also have you looked (with google, at the freeradius mailing list?)
There is a lot of information there.

0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question