Dear all,
I'm new in SER and i have a serius problem about implementing the authentication system from LDAP;
SER<->freeRADIUS<->LDAP(user/pass(encrypted));
We have installed SER + Freeradius + LDAP system, the SER parts of configuration works fine.
if any SIP client coming into the SER the auth_radius modul forward the request correctly to the freeradius:
the problem is the following:
rad_recv: Access-Request packet from host 127.0.0.1:50272, id=36, length=197 User-Name = "test@test.hu" Digest-Attributes = 0x0a076779656269 Digest-Attributes = 0x010d667265656d61696c2e6875 Digest-Attributes = 0x022a34326337353933653330366534626363613836343837343332646635383363366139636364383038 Digest-Attributes = 0x04117369703a667265656d61696c2e6875 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "204aea65f72efb70b809ed425bec099c" Service-Type = Sip-Session Sip-Uri-User = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "test" Digest-Realm = "test.hu" Digest-Nonce = "42c7593e306e4bcca86487432df583c6a9ccd808" Digest-URI = "sip:test.hu" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 4 rlm_realm: Looking up realm "test.hu" for User-Name = test@test.hu rlm_realm: No such realm "test.hu" modcall[authorize]: module "suffix" returns noop for request 4 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 4 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 4 modcall: group Auth-Type returns invalid for request 4 auth: Failed to validate the user. Login incorrect: [test@test.hu/<no User-Password attribute>] (from client localhost port 5060) Delaying request 4 for 1 seconds
so the ldap modul expect the "User-Password" attribute from radius client, but because of DIGEST authentication only get "DIGEST-ATTRIBUTES" from the SIP router,
Anyway, how to possible to authenticate the users with DIGEST authentication, if the RADIUS can not see cleartext passwords in LDAP ?. I'm not expert in password math and calculations, and also read the sterman draft to explain this to me.
So i suppose the following method: Radius get the RADIUS request.-->Convert the DIGEST-ATTRIBUTES to readable format.-->to calculate the DIGEST AUTH. values the RADIUS have to do LDAP lookup for the PASSWORD-> Calculate the DIGEST AUTH. value and comapare it with the recieved one, if match the user authenticated.
It's right ?
The radius authentication system works fine with DIGEST authentication, if I store the user/pass on local file system (in users file) and also works authenticate from LDAP without DIGEST auth (try with radtest).
Has anybody experience with this problem, DIGEST auth with LDAP ?
THX
Krisztián
Krisztián, It depends on the hash you store in LDAP. If the hash is MD5, you can use it directly in the digest algorithm. If its SSHA1 or something, you are basically stuck. Either store clear-text in LDAP, or forget about it. Of course, what you can do is to implement a conversion of SSHA when users are logging in. But this is only possible if you at one point actually has the clear-text password... g-)
---- Original Message ---- From: Gyebnár Krisztián To: serusers@lists.iptel.org Sent: Sunday, July 03, 2005 06:09 AM Subject: [Serusers] SER+RADIUS+LDAP with encrypted passwords
Dear all,
I'm new in SER and i have a serius problem about implementing the authentication system from LDAP;
SER<->freeRADIUS<->LDAP(user/pass(encrypted));
We have installed SER + Freeradius + LDAP system, the SER parts of configuration works fine.
if any SIP client coming into the SER the auth_radius modul forward the request correctly to the freeradius:
the problem is the following:
rad_recv: Access-Request packet from host 127.0.0.1:50272, id=36, length=197 User-Name = "test@test.hu" Digest-Attributes = 0x0a076779656269 Digest-Attributes = 0x010d667265656d61696c2e6875 Digest-Attributes = 0x022a34326337353933653330366534626363613836343837343332646635383363366139636364383038 Digest-Attributes = 0x04117369703a667265656d61696c2e6875 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "204aea65f72efb70b809ed425bec099c" Service-Type = Sip-Session Sip-Uri-User = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 5060 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "test" Digest-Realm = "test.hu" Digest-Nonce = "42c7593e306e4bcca86487432df583c6a9ccd808" Digest-URI = "sip:test.hu" Digest-Method = "REGISTER" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 4 rlm_realm: Looking up realm "test.hu" for User-Name = test@test.hu rlm_realm: No such realm "test.hu" modcall[authorize]: module "suffix" returns noop for request 4 users: Matched entry DEFAULT at line 160 modcall[authorize]: module "files" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 4 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 4 modcall: group Auth-Type returns invalid for request 4 auth: Failed to validate the user. Login incorrect: [test@test.hu/<no User-Password attribute>] (from client localhost port 5060) Delaying request 4 for 1 seconds
so the ldap modul expect the "User-Password" attribute from radius client, but because of DIGEST authentication only get "DIGEST-ATTRIBUTES" from the SIP router,
Anyway, how to possible to authenticate the users with DIGEST authentication, if the RADIUS can not see cleartext passwords in LDAP ?. I'm not expert in password math and calculations, and also read the sterman draft to explain this to me.
So i suppose the following method: Radius get the RADIUS request.-->Convert the DIGEST-ATTRIBUTES to readable format.-->to calculate the DIGEST AUTH. values the RADIUS have to do LDAP lookup for the PASSWORD-> Calculate the DIGEST AUTH. value and comapare it with the recieved one, if match the user authenticated.
It's right ?
The radius authentication system works fine with DIGEST authentication, if I store the user/pass on local file system (in users file) and also works authenticate from LDAP without DIGEST auth (try with radtest).
Has anybody experience with this problem, DIGEST auth with LDAP ?
THX
Krisztián
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Greger V. Teigre -
Gyebnár Krisztián