Re: yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...

Sylvain Robitaille <syl@alcor.concordia.ca> · Sat, 29 Mar 2008 23:23:31 -0400 (EDT)

On Sat, 29 Mar 2008, Arran Cudbard-Bell wrote:

If there's a {ssha} header on the password, then the PAP module should
figure it out.

But it doesn't appear to be... you have got the autoheader option set
in the PAP module?

       pap {
               auto_header = yes
       }

Yes, that's configured.

*nothing* will work until you get the hash into the correct attribute
with the header stripped off.

Right.  As already noted, radtest against a user entry in our LDAP data
*does* work.  I just need to get this working inside the TTLS tunnel.

Fudging it by creating a static mapping userPassword -> SSHA-Password
in ldap.attrmap won't work because the header will still be present in
the hash...

Ok, which suggests that my attempt to use "password_radius_attribute"
(if that parameter still existed) in the ldap configuration would have
still failed, because I was trying to set it to SSHA-Password there.
Alan's suggestion was to map it tp User-Password, though, which is where
rlm_pap *would* know how to deal with it.

Thanks, of course, for your continued interest ...

--
----------------------------------------------------------------------
Sylvain Robitaille                              syl@alcor.concordia.ca

Systems and Network analyst                       Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------