Another LDAP/RADIUS integration problem.

Tom Leach leach at
Wed Jul 28 21:34:49 CEST 2010

Grr, off on a goose chase.  Problem isn't in rlm_pap.c, but rlm_ldap.c. 
  rlm_ldap only likes the Cleartext-Password and User-Password 
attributes.  Would it be a bad thing to patch rlm_ldap.c to also work 
with Password-With-Header?  If not, then I guess I'll have to use 
User-Password in the ldap dictionary and live with the suggestion 
message in debug output.
!!!    Replacing User-Password in config items with Cleartext-Password. 
!!! Please update your configuration so that the "known good" 
!!! clear text password is in Cleartext-Password, and not in 
User-Password. !!!

On 07/28/2010 11:59 AM, Tom Leach wrote:
> Alan, changing from User-Password to Password-With-Header brought back 
> the 'No "known good" password' error.  I'm going through the rlm_pap.c 
> code to try to see what's going on here.  I haven't found any docs yet 
> on what the various mapping possibilities are and what they do.  Do you 
> have a pointer to any so I don't keep bugging you and the list?
> I agree with the 'get it work, then tune it' approach.  That's where I'm 
> at now.  It's working, I'm just trying to make all the messages go away :)
> Thanks!
> Tom
> Here is a snippet from radiusd -X:
> [ldap-server1] Added Crypt-Password = 4gOgBZqZgtwIw in check items
> [ldap-server1] looking for check items in directory...
>   [ldap-server1] userPassword -> Password-With-Header == 
> "{crypt}4gOgBZqZgtwIw"
> [ldap-server1] looking for reply items in directory...
> WARNING: No "known good" password was found in LDAP.  Are you sure that 
> the user is configured correctly?
> [ldap-server1] user testuser authorized to use remote access
>> Date: Tue, 27 Jul 2010 09:00:23 +0200
>> From: Alan DeKok <aland at>
>> Subject: Re: Another LDAP/RADIUS integration problem.
>> To: FreeRadius users mailing list
>>     <freeradius-users at>
>> Message-ID: <4C4E8407.3030503 at>
>> Content-Type: text/plain; charset=ISO-8859-1
>> Tom Leach wrote:
>>> Alan, I changed the ldap.attrmap file from "checkItem Crypt-Password
>>> userPassword" to "checkItem User-Password userPassword" and it's
>>> authenticating now, but I now have a new message in the debug output and
>>> I'm not sure if it's a problem, suggestion, or otherwise.
>>   It's a suggestion.  But the first step was to get it to work.
>>>  I can't
>>> change the LDAP directory to contain actual cleartext passwords, so it
>>> may just be something that I have to live with.
>>   Change the mapping in ldap.attrmap to:
>> checkItem Password-With-Header userPassword
>>   That should *still* work, and will remove the warning.
>>   The process here is to first get it to work, and then get it to work
>> better.
>>   Alan DeKok.

More information about the Freeradius-Users mailing list