yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...

Sylvain Robitaille syl at alcor.concordia.ca
Sun Mar 30 05:23:31 CEST 2008


On Sat, 29 Mar 2008, Arran Cudbard-Bell wrote:

>> If there's a {ssha} header on the password, then the PAP module should
>> figure it out.
>
> But it doesn't appear to be... you have got the autoheader option set
> in the PAP module?
>
>        pap {
>                auto_header = yes
>        }

Yes, that's configured.

> *nothing* will work until you get the hash into the correct attribute
> with the header stripped off.

Right.  As already noted, radtest against a user entry in our LDAP data
*does* work.  I just need to get this working inside the TTLS tunnel.

> Fudging it by creating a static mapping userPassword -> SSHA-Password
> in ldap.attrmap won't work because the header will still be present in
> the hash...

Ok, which suggests that my attempt to use "password_radius_attribute"
(if that parameter still existed) in the ldap configuration would have
still failed, because I was trying to set it to SSHA-Password there.
Alan's suggestion was to map it tp User-Password, though, which is where
rlm_pap *would* know how to deal with it.

Thanks, of course, for your continued interest ...

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems and Network analyst                       Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------



More information about the Freeradius-Users mailing list