Freeradius-Users Digest, Vol 63, Issue 95
Tom Leach
leach at coas.oregonstate.edu
Wed Jul 28 20:59:48 CEST 2010
Alan, changing from User-Password to Password-With-Header brought back
the 'No "known good" password' error. I'm going through the rlm_pap.c
code to try to see what's going on here. I haven't found any docs yet
on what the various mapping possibilities are and what they do. Do you
have a pointer to any so I don't keep bugging you and the list?
I agree with the 'get it work, then tune it' approach. That's where I'm
at now. It's working, I'm just trying to make all the messages go away :)
Thanks!
Tom
Here is a snippet from radiusd -X:
[ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items
[ldap-server1] looking for check items in directory...
[ldap-server1] userPassword -> Password-With-Header ==
"{crypt}4gOgBZqZgtwIw"
[ldap-server1] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap-server1] user testuser authorized to use remote access
> Date: Tue, 27 Jul 2010 09:00:23 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Another LDAP/RADIUS integration problem.
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4C4E8407.3030503 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Tom Leach wrote:
>> Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password
>> userPassword" to "checkItem User-Password userPassword" and it's
>> authenticating now, but I now have a new message in the debug output and
>> I'm not sure if it's a problem, suggestion, or otherwise.
>
> It's a suggestion. But the first step was to get it to work.
>
>> I can't
>> change the LDAP directory to contain actual cleartext passwords, so it
>> may just be something that I have to live with.
>
> Change the mapping in ldap.attrmap to:
>
> checkItem Password-With-Header userPassword
>
> That should *still* work, and will remove the warning.
>
> The process here is to first get it to work, and then get it to work
> better.
>
> Alan DeKok.
More information about the Freeradius-Users
mailing list