[Thor Spruyt]

>----- Oorspronkelijk bericht -----
>Van
: wessam seleem [mailto:wessam.seleem at gmail.com]
>Verzonden
: zondag
, september
 27, 2009 02:34 PM
>Aan
: 'FreeRadius users mailing list'
>Onderwerp
: Re:
>
>Dear Thor and Ivan,
>         Thanks for your support. I would like to notice that I have the
>same configuration in a server that has freeradius-1.1.7-1 installed and it
>is working fine. I want to upgrade. That is why I am testing
>freeradius-2.1.6-2. I want to ask is there is any difference between 1.1.7-1
>and 2.1.6-2 configuration files that I should put it in my consideration?
>
>
>Thor,
>I don't have the same output in the debug mode. I have what you can see
>below:
>
>
>++[ldap] returns ok
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!!    Replacing User-Password in config items with Cleartext-Password.
>!!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>!!! Please update your configuration so that the "known good"
>!!!
>!!! clear text password is in Cleartext-Password, and not in User-Password.
>!!!
>!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>+- entering group PAP {...}
>[pap] login attempt with password "password"
>[pap] Using clear text password "$5 at Hfgusllj%$#kasjs"
>[pap] Passwords don't match
>++[pap] returns reject
>Failed to authenticate the user.
>Using Post-Auth-Type Reject
>+- entering group REJECT {...}
>[attr_filter.access_reject]     expand: %{User-Name} -> username
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>
>Dear Ivan and Thor,
>
>As you can see the problem that I am sending a clear text password and the
>radius doesn't convert it to encrypted one. I want  my radius to take a
>clear
>text password and encrypt it then compare it with the encrypted one in my
>ldap. Please let me know if I should clarify more or if you need more info.
>
>Thanks again for your support.
>Regards,
>

I'm not saying that how I got it working is *the* way to do it, I just got it working this way...
I'm using 2.1.7, but I guess 2.1.6 has exactly the same behaviour.

In your ldap module configuration, remove this:
password_header = "{CRYPT}"
Then the ldap module will not remove {CRYPT} from User-Password and the server will not complain about the attributes...
The pap module configuration should only have the following line:
auto_header = yes
This will make the PAP authentication step recognize that the password retrieved from ldap is crypted and do the correct password comparison.

Regards,
Thor.