checkitem problem

Alan DeKok aland at deployingradius.com
Sat Sep 1 13:46:27 CEST 2007


Norbert Wegener wrote:
>>   Yes... because you are telling the server what the clear-text password
>> is supposed to be.  If you tell the server TWICE, it will say OK twice.
>>   
> Telling it twice in a check item?

  Yes.  You told the server what the "known good" password was.

> Please correct me, but my understanding of check items has been, that
> they have to be in the the access request to match an entry.

  No.  Read "man users", or the comments at the top of the "users" file.

  The check items hold BOTH the comparison against the original
password, AND the instructions for how the server should behave.  This
is BROKEN, because it confuses people.

  2.0 has a more complex configuration.  But it's a LOT easier to
understand why it works.

> The clear-text password is not in the original request. It is added
> during the processing of that request via ldap.

  Yes.  So?

> Depending on that value an entry of the users file should match.

  No.  Read "man users".

  Cleartext-Password is a configuration attribute.  It is NOT an
attribute that goes into a packet.

  In 2.0.0-pre2, see "man unlang".

  Alan DeKok.



More information about the Freeradius-Users mailing list