我想设置 Freeradius 以便能够通过 LDAP 数据库进行身份验证。
Freeradius 可以正确连接并在 LDAP 目录中找到用户:
2024-01-14T22:00:25.233318433Z (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
2024-01-14T22:00:25.233326325Z (1) ldap: --> (uid=user)
2024-01-14T22:00:25.233334383Z (1) ldap: Performing search in "cn=users,ou=admin,dc=example,dc=hu" with filter "(uid=user)", scope "sub"
2024-01-14T22:00:25.233343360Z (1) ldap: Waiting for search result...
2024-01-14T22:00:25.236617309Z (1) ldap: User object found at DN "cn=user,cn=users,ou=admin,dc=example,dc=hu"
客户端想要进行身份验证mschapv2,这可以从请求中看到:
2024-01-14T22:00:25.232979025Z (1) Received Access-Request Id 31 from 172.16.8.14:59643 to 192.168.1.3:1812 length 150
2024-01-14T22:00:25.233058826Z (1) Service-Type = Login-User
2024-01-14T22:00:25.233068484Z (1) User-Name = "user"
2024-01-14T22:00:25.233076197Z (1) MS-CHAP-Challenge = 0xfc1cd4cb18f3a72ebec9ae33bc3541b3
2024-01-14T22:00:25.233082264Z (1) MS-CHAP2-Response = 0x00009a0da1c7787c2ba24c803731a9e5c0660000000000000000e202f180eb23202f5bf10113c00d336aded55e09ed3c49e2
2024-01-14T22:00:25.233088052Z (1) Calling-Station-Id = "172.16.15.1"
2024-01-14T22:00:25.233093469Z (1) NAS-Identifier = "router"
2024-01-14T22:00:25.233098457Z (1) NAS-IP-Address = 172.16.8.14
但是,身份验证仍然失败:
2024-01-14T22:00:25.236764101Z (1) Found Auth-Type = mschap
2024-01-14T22:00:25.236770396Z (1) Auth-Type sub-section not found. Ignoring.
2024-01-14T22:00:25.236775403Z (1) # Executing group from file /etc/freeradius/sites-enabled/default
2024-01-14T22:00:25.236780691Z (1) Failed to authenticate the user
2024-01-14T22:00:25.236793956Z (1) Using Post-Auth-Type Reject
2024-01-14T22:00:25.236800568Z (1) # Executing group from file /etc/freeradius/sites-enabled/default
2024-01-14T22:00:25.236809280Z (1) Post-Auth-Type REJECT {
我不明白为什么。使用默认的 freeradius 站点配置,仅ldap添加了包含连接详细信息的 mod。
附言:使用radtest实用程序进行身份验证有效,因此只有使用 mschap 进行身份验证无效。测试的用户密码也存储cleartext在md5LDAP 中。
答案1
它按照我的问题预期的那样工作,但我的配置缺少update设置密码属性的部分:
update {
control:NT-Password := sambaNTPassword
}
或者您可以使用control:Cleartext-Password设置明文密码