Author Topic: Radius - Where is my error  (Read 8962 times)

christian

  • Guest
Re: Radius - Where is my error
« Reply #30 on: January 10, 2013, 02:41:05 pm »
However this is (was) surprising that you can't access cn=config.

Clearer now: your credential is either wrong or not accepted.

With Zentyal 3.0, DN (D parameter in ldapsearch command) to be used looks like:
cn=zentyal,dc=yourdomain,dc=com, local or whatever you named it

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #31 on: January 10, 2013, 02:55:39 pm »
But christian, the same password works when viewing the root dn so it is not the password portion of the credentials.  It therefore must be the supplied ldap database string ( I am not sure of the nomenclature here).  I personally am satisfied that there is an error in the way radius is being handled in 3.0.  I have a high confidence that it is authentication not authorization related based on watching the requests be processed by radius.  My reading gives me indications that how the password is hashed matters depending on which authentication mechanism you use.  I think it is high time a developer steps in and either says "you are full of it and here's why" or  "oops, we will address that" .    As I said earlier in the thread,  I could create a dummy user and manually change their password hash in ldap to prove my point.

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #32 on: January 10, 2013, 08:59:36 pm »
Half_Life,

sorry for being penetrant would you mind to install proxy service or Zarafa SSO on the system you are in trouble with radius: please countercheck if both do work if the client is within the correspondend domain.

THX
Thorsten

Sam Graf

  • Guest
Re: Radius - Where is my error
« Reply #33 on: January 10, 2013, 09:16:49 pm »
Proxy SSO has been discussed at length as problematic, though it seems that the developers were able to get it to work. For example, see this rather lengthy discussion:

http://forum.zentyal.org/index.php/topic,12010.0.html

Since I don't use Zarafa, I don't know if there is a common issue with proxy SSO or not.

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #34 on: January 10, 2013, 11:11:03 pm »
Hi Sam,

Thanks, but I think that those two problems are linked together somehow - this is just instinct, and not related to any knowledge or facts.

Also there was no solution in that threat  :o

THX
Thorsten

Sam Graf

  • Guest
Re: Radius - Where is my error
« Reply #35 on: January 11, 2013, 02:36:15 am »
Also there was no solution in that threat  :o

Right, although the developers said they could eventually confirm it to be working. I didn't get it working and put the effort off for another time. In my case the test client machine wasn't fetching time sync from Zentyal so I can't say I exhausted all the possibilites. I just had to move on to other things. :(

thorsten

  • Guest
Re: Radius - Where is my error
« Reply #36 on: January 11, 2013, 08:37:49 pm »
Hi Sam,

do you have any contact to the developers?  I hope it helps if they see that someone else has the same problem. I sometimes fear that lots of problems are related to 64 bit while 32 bit is more relieable. Also, if I change to standard hardward, some problems do not even appear I have on my server hardware. But this is really strange as my server software runs on "real" server hardware - at least this specially dedicated hardware I expect an error free installation, but it is not

Best regards
Thorsten

Sam Graf

  • Guest
Re: Radius - Where is my error
« Reply #37 on: January 12, 2013, 01:10:36 am »
Hi Thorsten,

I don't have contact with the developers outside the usual channels--here, the bug tracker, IRC. But I think the developers are aware that problems exist and I think it's correct to say that they've been working on it. My sense is that integrating Samba 4 into Zentyal has created problems that are non-trivial to solve, at least within the 3.0 architecture.

Since I don't have any spare 64-bit server hardware all my 3.0 testing has been on a spare 32-bit server. In the early days I even ran eBox on standard PC desktop hardware in production, and later Zentyal on both 32-bit and 64-bit server hardware from a variety of vendors (whitebox, Dell, Cisco). I say all that just to say that I've never encountered anything like you describe despite running eBox and Zentyal on those different types of hardware. For me the software generally seems hardware agnostic. Maybe it's the relatively simple setups I've deployed that spared me difficulties.

christian

  • Guest
Re: Radius - Where is my error
« Reply #38 on: January 12, 2013, 01:17:44 am »
Sam,

+1
I've also installed Zentyal on both 32 and 64 bits platform and never faced any difference. I do understand that some glitches may occur but very few due to architecture. The main current issue is around Samba 4 integration for sure.  This one is a technical one. Once solved, Zentyal team will face another one that is to decide where they want to go and what is the right design for this.
Do they want to target Microsoft SMB landscape and therefore rely on Samba 4 strategy, thus drop their own LDAP server and follow Samba 4 roadmap or do they target something else, better integrated to medium to large businesses, also meaning capability to interact with orher - external - repositories.

for the time being, I'm fine with 2.2   ;)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #39 on: January 12, 2013, 02:42:59 am »
For me,  the radius issue will stop me from rolling 3.0 into production.  Everything that I use has worked.  Next week I have a deadline to meet for a coding project so I won't be doing any science projects at work. The home system is currently on 3.0 with radius frankensteined to use the 2.2 ldap server.  Small scale I can afford to maintain 2 password databases.  I don't want to do this in a larger environment.

@thorsten -  I will get to this but understand I don't use those features normally at home so there is no "apples to apples" comparison.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #40 on: February 08, 2013, 05:54:08 am »
Christian,  are you ready to pick up the lesson now that the lowly student has found his error  :D?  A lack of understanding of ApacheStudio configuration and probably a typo when we went to the command line led me astray.  I can get into the cn=config directory now.

christian

  • Guest
Re: Radius - Where is my error
« Reply #41 on: February 08, 2013, 06:26:38 am »
So, you can read and modify cn=config. Very good because this is (one of) the way to modify loglevel and investigate this Radius/LDAP potential error.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #42 on: February 09, 2013, 04:28:09 am »
This is a good authenticate:

Code: [Select]
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=48 SRCH base="" scope=0 deref=2 filter="(cn=*)"
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=48 SEARCH RESULT tag=101 err=0 nentries=0 text=
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=49 SRCH base="dc=rapheal,dc=no-ip,dc=com" scope=2 deref=2 filter="(objectClass=posixAccount)"
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=49 SEARCH RESULT tag=101 err=0 nentries=11 text=
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=50 SRCH base="" scope=0 deref=2 filter="(cn=*)"
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=50 SEARCH RESULT tag=101 err=0 nentries=0 text=
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=51 SRCH base="dc=rapheal,dc=no-ip,dc=com" scope=2 deref=2 filter="(objectClass=zentyalGroup)"
Feb  8 22:08:43 zentyal3 slapd[5856]: conn=91460 op=51 SEARCH RESULT tag=101 err=0 nentries=7 text=

This is a bad one:
Code: [Select]
1:41:22 zentyal3 slapd[5856]: conn=91371 op=14 SRCH base="cn=Wireless,ou=Groups,dc=rapheal,dc=no-ip,dc=com" scope=0 deref=0 filter="(cn=wireless)"
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=14 SRCH attr=dn
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=14 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=15 SRCH base="dc=rapheal,dc=no-ip,dc=com" scope=2 deref=0 filter="(uid=dhoff)"
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=15 SRCH attr=radiusNASIpAddress radiusExpiration acctFlags userPassword dBCSPwd sambaNtPassword sambaLmPassword ntPassword lmPassword radiusCallingStationId radiusCalledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusTunnelPrivateGroupId radiusTunnelMediumType radiusTunnelType radiusReplyMessage radiusLoginLATPort radiusPortLimit radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem sasdefaultloginsequence
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=15 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=16 SRCH base="dc=rapheal,dc=no-ip,dc=com" scope=2 deref=0 filter="(uid=dhoff)"
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=16 SRCH attr=dn
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=17 SRCH base="dc=rapheal,dc=no-ip,dc=com" scope=2 deref=0 filter="(&(cn=wireless)(&(objectClass=posixGroup)(?member=dhoff)))"
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=17 SRCH attr=dn
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=17 SEARCH RESULT tag=101 err=0 nentries=0 text=
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=18 SRCH base="uid=dhoff,ou=Users,dc=rapheal,dc=no-ip,dc=com" scope=0 deref=0 filter="(objectClass=*)"
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=18 SRCH attr=memberOf
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=18 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=19 SRCH base="cn=Wireless,ou=Groups,dc=rapheal,dc=no-ip,dc=com" scope=0 deref=0 filter="(cn=wireless)"
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=19 SRCH attr=dn
Feb  8 21:41:22 zentyal3 slapd[5856]: conn=91371 op=19 SEARCH RESULT tag=101 err=0 nentries=1 text=

Oh guru of the ldap what say you?

christian

  • Guest
Re: Radius - Where is my error
« Reply #43 on: February 09, 2013, 10:47:49 am »
Real gurus stay quite and silent  :P
Joke aside, these log extracts tell us very few.
Let me translate it, having in mind that both are only extract, thus you have a truncated view  ;) although my post will be a long one

the "good" authentication:
- step 48: to me a very strange one  :o  client searches RootDSE (because base="") for entry matching (cn=*)
   none is found but this is expected because there is no such entry in RootDSE. We can elaborate on this later.
- step 49: search for all entries in dc=rapheal.... being "posixaccount". 11 are found
- step 50: again this strange RootDSE search  ::)
- step 51: search for entries being "zentyalgroup": 7 are found

That's it...  is it enough to correlate with "good authentication" ?  I don't think so, let's see the "wrong authentication"  ;)

- step 14: search for cn=wireless within cn=wireless,ou=groups,dc=rapheal... and retrieve "dn".
   to me this is another very strange sequence: as rdn IS cn=wireless, result of such search MUST return entry used as search base, therefore this is, to me again, totally useless. Anyway...
- step 15: standard search command  ;) (all entries matching "uid=dhoff"). Expected result is "1" and indeed there is one and only one found  ;D so far so good but here again I would like to spend hours discussing what is retrieved once entry is found. Retrieve radius related attributes is perfectly fine. Retrieving password related attributes is not acceptable. If such password can be retrieved using LDAP command (mean read) then you are exposed to brute force attack. look at this search. It retrieves "userpassword" (std LDAP password), dbcspwd (account's LAN manager pwd), "sambaNtPassword", "sambaLmPassword", "ntPassword", "lmPassword". I really wonder why  ???
- step 16: same as step 15, retrieving only DN, goal being to point to this (found) entry.
- step 17: I've to admit that I don't understand this search syntax   :-[  Reason is that I don't know about the "?" logical operator in this search filter:
filter="(&(cn=wireless)(&(objectClass=posixGroup)(?member=dhoff)))"
it looks like searching for posixgroup entries (here thus "group") called wireless (cn=wireless) and having dhoff as member but (?member=...)  as far as I know, is not described in any LDAP related RFC.  Something specific to OpenLDAP ? I doubt...

anyway, as expected, not such entry is found  :)

- step 18: search uid=dhoff entry in order to retrieve groups this entry is member of. no special comment here
- step 19: 100% similar to step 14. To me, meaning less

is it enough to state that authentication fails ? For sure no but this shows some "interesting" (somehow) behaviour.

Does it help ? I doubt  :-[

I would like Zentyal team to comment on the "?" within the search filter however  ;)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Radius - Where is my error
« Reply #44 on: February 09, 2013, 06:52:41 pm »
I could make the whole record available if you really want it.  I have a stripped out copy   (grep slapd syslog >test.res) but it is quite large. 

The ? operand that you spend time talking about is in the authorization segment as best I can tell (wireless group)  and I had already observed that authorization was working via Radius.  It was authentication that was failing.