rlm_ldap and auto_header

Tim Palmer tpalmer at bestweb.net
Tue Nov 11 05:17:31 CET 2008


After fighting with an upgrade from freeradius-1.0.3 to 2.1.1, both do a 
simple LDAP authorize/PAP authenticate (no tls, no eap, no chap, no 
inner-tunnel, nothing else), I've stumbled on what seems to fix my 
problem, and am curious if my fix makes sense, and will continue to be 
supported. I'm not including full debug output and config files in this 
post because I'm not looking for help on what I've done wrong, just 
whether this part of the configuration is valid. I'm happy to provide 
more detail if its desired.

Built from freeradius-server-2.1.1 source, downloaded about 2 weeks ago 
from the Freeradius main site, on FreeBSD 7-1-PRERELEASE.

With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP 
server, and after putting in a Cleartext-Passwrod entry in 
ldap.attrsmap, rlm_ldap would authorize fine, and everything seemed ok, 
except I couldn't get pap to understand the encryption scheme:

[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm."
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): 
[test/testing] (from client localhost port 1)

No amount of changing settings in modules/pap and other config files 
would help. I finally noticed in the rlm_ldap debug output "auto_headers 
= no".

So, I set auto_headers = yes in modules/ldap, and login passes. Remove 
it, and login fails.

Is it only some odd ball, simplistic configurations like mine that this 
should be required? I was unable to find any mention of this as an ldap 
module setting except in rlm_ldap.c, which I didn't think to look in 
until after the fact.

Thank you for your time,

tim



More information about the Freeradius-Users mailing list