'v3.1.x - Directory specific admonitions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    v3.1.x - Directory specific admonitions
From:       Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date:       2016-01-30 1:18:32
Message-ID: 38854163-DF2A-44A6-BC9E-B394541756A5 () freeradius ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Added some basic directory fingerprinting...

rlm_ldap (ldap) - Opening additional connection (0), 1 of 24 pending slots used
rlm_ldap (ldap) - Connecting to ldap://192.168.43.57:389
rlm_ldap (ldap) - Waiting for bind result...
rlm_ldap (ldap) - Bind successful
rlm_ldap (ldap) - Performing search in "" with filter "(objectclass=*)", scope "base"
rlm_ldap (ldap) - Waiting for search result...
rlm_ldap (ldap) - Directory type: OpenLDAP

if (!fr_pair_find_by_num(request->config, 0, PW_CLEARTEXT_PASSWORD, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_NT_PASSWORD, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_USER_PASSWORD, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_PASSWORD_WITH_HEADER, TAG_ANY) &&
    !fr_pair_find_by_num(request->config, 0, PW_CRYPT_PASSWORD, TAG_ANY)) {
	if (!inst->directory->cleartext_password) switch (inst->directory->type) {
		case LDAP_DIRECTORY_ACTIVE_DIRECTORY:
			RWDEBUG("!!! Found map between LDAP attribute and a FreeRADIUS password attribute");
			RWDEBUG("!!! Active Directory does not allow passwords to be read via LDAP");
			RWDEBUG("!!! Remove the password map and either:");
			RWDEBUG("!!!  - List %s in the authenticate section, and set attribute "
				"&control:Auth-Type := '%s' (pap only)", inst->name, inst->name);
			RWDEBUG("!!!  - Configure authentication via ntlm_auth (mschapv2 only)");
			RWDEBUG("!!!  - Configure authentication via wbclient (mschapv2 only)");
			break;

		case LDAP_DIRECTORY_EDIRECTORY:
			RWDEBUG("!!! Found map between LDAP attribute and a FreeRADIUS password attribute");
			RWDEBUG("!!! eDirectory does not allow passwords to be retrieved via LDAP search");
			RWDEBUG("!!! Remove the password map and either:");
			RWDEBUG("!!!  - Set 'edir = yes' and enable the universal password feature on your "
				"eDir server (recommended)");
			RWDEBUG("!!!  - List %s in the authenticate section, and set attribute "
				"&control:Auth-Type := '%s' (pap only)", inst->name, inst->name);
			break;

		default:
		no_password:
			if (!inst->admin_identity) {
				RWDEBUG("No \"known good\" password added.  Ensure \"%s\" has permission to "
					"read the user's password attribute", inst->admin_identity);
			} else {
				RWDEBUG("No \"known good\" password added.  Set 'identity' to the dn of an "
					"account that has permission to read the user's password attribute");
			}

			break;
	} else goto no_password;
}

The first user to post either of those messages to the list earns an instaban ;)

-Arran

["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWrA9oAAoJEP+k1YKfttfKVN4QAKQd3zblWVaUrTicQ/EeuXiQ
UV5Hc+nQzBMzEfhhJ1ocbTXeXAYnUp5xEpWheUqwmMWN/iU1iNKTcvQcncBpnC5R
19YfAKPzqpp/acH9Ke2sZS0/PUv3QsgJgsERXMqehbunNJKhbGotb4hqbCPh/h8c
d+/lcIhT+vMeBcVsFWRvQgMh9j1Bb+qcN0XBjEkwIGb82XaeWDZ/2RMBPS38fh/y
1P7bMhbt3qwHTraY7O0xEycw1fKcelko/ByAlTV2lUrupXT/NTAi+e1bZabDu8WT
nWVEcdkXuvueFookBeU3GblHBSCpVidR9t0O58HUokGRn291hsTKdDPfWxkXaviD
nht8QH9GUf1YLqHCZsfz10IDWEz4qLCs4UTxyLH9IgxYeb4DBP1pKfhr0dcKiUUJ
EpmwJK7tesDHTmoc4wVuEtnHQrs6AcETnHhBMd8+R6g4V8wVGGMXhvwClObJ19B6
clsW+0fzTzt+jyo/j0o/6Fr6sgyPPY1hkD2RHPv5Z54TQprNaYJYEmDec9ARoKpP
+Ga5sRsGe/rgoeKCRFLDAOPN9JboJ7FmyN5mKvwZ6S1PoQsq8dONfpsaAI/+yaUx
zpqV8oALdlTJ255l9c7KwkuEl0Ki0+UOx12SUMdPqmAPsn4Ie01N4Ihgz4YentT1
9O9WvNobaRHV6zko4KgB
=9XBC
-----END PGP SIGNATURE-----

[Attachment #6 (text/plain)]

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic