Another LDAP/RADIUS integration problem.

John Dennis jdennis at
Fri Jul 23 22:11:46 CEST 2010

On 07/23/2010 02:59 PM, Alan DeKok wrote:
> Tom Leach wrote:
>> To correct the bind problem, I added an ACL to the directory to allow
>> 'uid=admin,o=radtree' to access the userPassword attribute, then
>> configured the ldap module to use 'uid=admin,o=radtree' as the identity
>> and 'secret' as the password.  Now the bind succeeds, the -X output says
>> that it's mapping userPassword ->  Crypt-Password ==
>> "{crypt}4gOgBZqZgtwIw"
>    The "Crypt-Password" attribute is supposed to be the crypt'd version
> of the password *without* the "{crypt}" header.  Change the mapping from
> "userPassword ->  Crypt-Password" to "userPassword ->  User-Password", and
> it will work.
>    The PAP module will look for the "{crypt}" header, and create a
> Crypt-Password with the appropriate value.

Hmm ...

Just from looking at the rlm_ldap code (not actual testing) I thought if 
auto_header was set to True in the ldap config then rlm_ldap after 
looking up the configured password attribute would perform the steps you 
describe above. (strip the hash prefix and add a new attribute with the 
correct attribute type for the hash type)

Am I confused?

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list