Yubico Forum

HEllo,

We are trying to integrate yubikey with radius on linux + ActiveDirectory / LDAP on windows but none of the guides are getting us anywhere. (There isn't a real documentation.) Does anyone have a more detailed documentation?

Please refer to the following Wiki link which provides the overview and the configuration documents required for using the RADIUS_on_Premise solution:

http://wiki.yubico.com/wiki/index.php/A ... on_Premise

We hope this helps!

Yeah

Followed that guide but I cant login to YMS and the some validator files are missing.

do we have o get both the trunk + the RADIUS_on_Premise branch?

I somehow (please dont ask) managed to accidentally flash my key which I used to authenticate on the forums, so I uploaded my new AES keys, but I can't access my username, is there a way to get my username back?

Ok, so I tried to use the VMWARE image to see if I Was doing something wrong and I get badOTP's all the time..

So how do we base64 encode the values that we are asked by the installer?

do we have to use utils.php? the output of utils.php (the secrets etc.) when we decrypt them via base64 we get *Íå£ÈwΑ¡¿`«
7r
aŸuñQŒ52rËTæ
|aAC


type of random data.

Yubico has developed a ModHex calculator which you can use to convert the AES Key is base64 format. The ModHex calculator is available at the following link:

http://www.yubico.com/developers/modhex/

We hope this helps!

Ouch

I was unable to setup even the VMWARE image...l IT must be outdated!!

We would appreciate if you can let us know the exact issues you are facing while installing the VMWare image so that we can try to debug it and suggest a possible solution.

How about I post step by step what I have done when I was following the guide and maybe you can see where the issue is.

I decided to give it a clean start on the following system below;

Systems used;
Server 1 Linux yubikey authentication stuff / radius running; Linux yubi.domain.com 2.6.18-164.6.1.el5 #1 SMP Tue Nov 3 16:12:36 EST 2009 x86_64 x86_64 x86_64 GNU/Linux

Server 2; Windows 2008 Enterprise ActiveDirectory/LDAP (mail.domain.com)

---------

Server 1;
svn checkout http://yubico-pam.googlecode.com/svn/br ... n_Premise/
autoreconf --install

At this point we should need yubico-c-client on our system so we go to http://yubico-c-client.googlecode.com/s ... n_Premise/ and check it out

make -f simple.mk check (now here I get an error)

------------------------------------------------------
[root@yubi yubico-c-client]# make -f simple.mk check
cc -I. -Wall -g -DPACKAGE=\"yubikey-client\" -DPACKAGE_VERSION=\"0\" -c -o libykclient.o libykclient.c
libykclient.c: In function âyubikey_client_simple_requestâ:
libykclient.c:122: warning: passing argument 3 of âyubikey_client_requestâ discards qualifiers from pointer target type
libykclient.c: In function âyubikey_client_requestâ:
libykclient.c:251: warning: implicit declaration of function âasprintfâ
libykclient.c:274: warning: format â%dâ expects type âintâ, but argument 2 has type âsize_tâ
libykclient.c:274: warning: field precision should have type âintâ, but argument 3 has type âsize_tâ
libykclient.c:288: warning: format â%dâ expects type âintâ, but argument 2 has type âsize_tâ
cc -I. -Wall -g -DPACKAGE=\"yubikey-client\" -DPACKAGE_VERSION=\"0\" -lcurl ykclient.c libykclient.o -o ykclient
cc -I. -Wall -g -DPACKAGE=\"yubikey-client\" -DPACKAGE_VERSION=\"0\" -lcurl selftest.c libykclient.o -o selftest
selftest.c: In function âmainâ:
selftest.c:46: error: too few arguments to function âyubikey_client_requestâ
selftest.c:54: error: too few arguments to function âyubikey_client_requestâ
make: *** [selftest] Error 1


---------------

However that error is with the selftest binary not with the ykclient binary. So I assume we can ignore it? because running ./ykclient gives valid output.

[root@yubi yubico-c-client]# ./ykclient
Usage: ./ykclient <client_id> <yubikey_output>
CLIENT_ID: your client id integer
YUBIKEY_OUTPUT: One-time password generated by yubikey

so now the binary is installed, we continue with yubico-pam installation by ./configure && make check install

now added line auth required pam_yubico.so id=1 debug userauth to /etc/pam.d/radiusd (Dont know why id=1)

moved file mv /usr/local/lib/security/pam_yubico.so /lib/security/


----------

update time


[root@yubi RADIUS_on_Premise]# /etc/rc.d/init.d/ntpd stop
Shutting down ntpd: [ OK ]
[root@yubi RADIUS_on_Premise]# ntpdate -u mail.domain.com
11 Dec 07:50:57 ntpdate[3646]: step time server 188.72.203.12 offset 111.215262 sec
[root@yubi RADIUS_on_Premise]# /etc/rc.d/init.d/ntpd start
Starting ntpd: [ OK ]


-------

configured the files

------

[root@noc RADIUS_on_Premise]# radtest test test123vrkvfefuitvflvgufcdlbjufkggukufkebeildbdkkjc 127.0.0.1 0 testing123
Sending Access-Request of id 114 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test123vrkvfefuitvflvgufcdlbjufkggukufkebeildbdkkjc"
NAS-IP-Address = 208.69.34.132
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=114, length=53
Reply-Message = "Your account has been disabled."

---

Now lets continue with the OTP parts.

--- SVN CHECKOUT
yms
yubico-php-lib
yubikey-val-server-php
yubiphpbase

so I assume we need to setup phpbase.

$aesKey = $aes->makeKey('bklftrkvbvg.....fbedtjerrbbcgkuk') change that with some random characters I believe? in yubico-php-lib/AES128.php

now setup_schema.sql is setup as yubico database.
Now editing config.php (I believe where the problem is)

However it is 6 AM so I will update this later, and if I get it to work this time, I will write a detailed guide. (if the problem is what I think it is, its a simple mistake)

--- Now here is the main bug that causes issues...

* Connected to DB successfully
Insert root client
Invalid query -- INSERT INTO clients VALUES (1,1,1,NOW(),'bora@domain.com','secrethere','Root client',0,0,1,0,0) -- Column count doesn't match value count at row 1[root@yubi yubiphpbase]#


mysql> describe clients;
+-----------+--------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------------------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| perm_id | int(11) | YES | MUL | NULL | |
| active | tinyint(1) | YES | | NULL | |
| created | datetime | NO | | 0000-00-00 00:00:00 | |
| email | varchar(255) | NO | UNI | | |
| secret | varchar(60) | NO | | | |
| notes | varchar(100) | YES | | NULL | |
| chk_sig | tinyint(1) | NO | | 0 | |
| chk_owner | tinyint(1) | NO | | 0 | |
+-----------+--------------+------+-----+---------------------+----------------+
9 rows in set (0.00 sec)

id = 1
perm_id = 1
active = 1
created = NOW() (so the date)
email = bora@domain.com
secret = secrethere
notes = root client
chk_sig = 0
chk_owner = 0

(1x 1, and 2 x 0 is too much in the query!!!) the right query should be

INSERT INTO clients VALUES (1,1,1,NOW(),'bora@domain.com','secrethere','Root client',0,0)
and not
INSERT INTO clients VALUES (1,1,1,NOW(),'bora@domain.com','secrethere','Root client',0,0,1,0,0)

manually entering the right query to see if it changes anything...

Once you edit install.php to the riqht query you can get past the yms page via the otp, then you enter your pin but this time you receive the following error.

Notice: Undefined variable: _SESSION in /var/www/yubico/yms/yubi_askpin.php on line 72
Invalid query -- SELECT id, pin FROM admin WHERE keyid= -- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1


adding the following line
session_start();
after
<?php require_once '../yubico-php-lib/AES128.php'; in /var/www/yubiphpbase/appinclude.php solved the issue now i can login to the user management interface at yms

So this was a success.

Do you want me to send you the changed files so you can fix them and add them to SVN???

-------------------

Clicking users page;

Notice: Undefined variable: findkey in /var/www/yubico/yms/list_users.php on line 111

Notice: Undefined variable: attrName in /var/www/yubico/yms/list_users.php on line 126

Notice: Undefined variable: attrVal in /var/www/yubico/yms/list_users.php on line 126
Invalid query -- SELECT COUNT(*) AS C FROM users WHERE user_status=1 -- Table 'yubico.users' doesn't exist

(Will investigate this now or later) and post back.


GOT STUCK here!! cant find the schema for the users table...

Also how do we enter the username in THE ad?