freeradius with multiple ldap servers
Sambuddho Chakravarty
sc2516 at columbia.edu
Sun Jul 6 01:31:50 CEST 2008
Interestingly the bind as the root DN works with password supplied in
clear-text through the ldap {} module...
Thanks
Sambuddho
On Sat, 2008-07-05 at 18:03 -0400, Sambuddho Chakravarty wrote:
> Hello Ivan
> Does that mean that I cannot authenticate against a LDAP server from a
> freeradius server using cleartext passwords. So the freeradius client
> needs to send the password in encrypted format. But other programs which
> using LDAP server to authenticate (eg. the pam_ldap ) takes as input the
> cleartext password. Is there a solution to this ? Maybe I am mistaken
> somewhere . Please let me know.
> Thanks
> Sambuddho
> On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
> > > Problem still persists. What do you mean by the {crypt} header.
> >
> > >From RFC2256:
> >
> > 5.36. userPassword
> >
> > ( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch
> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
> >
> > Passwords are stored using an Octet String syntax and are not
> > encrypted.
> >
> > Since you are intent on violating RFC you need to add a password header
> > to indicate what type of encryption is used.
> >
> > >rlm_ldap: waiting for bind result ...
> > >rlm_ldap: Bind failed with invalid credentials
> > >++[ldap1] returns reject
> > >auth: Failed to validate the user.
> >
> > Without the header userPassword is treated as clear text (not crypted
> > value) and that does't match.
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list