problem with pap password normalization

Alan DeKok aland at
Fri Nov 9 18:56:21 CET 2018

> On Nov 6, 2018, at 11:51 AM, Amstaff zg <amstaff.zg at> wrote:
> Hi,
> I have problem with pap password normalization when radius fetches
> password from ldap in base64 format.
> Here is example where it works:
> FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS
> server project and contributors There is NO warranty; not even for
> redistribute copies of FreeRADIUS under the terms of the GNU General
> Public License For more information about these matters, see the file

  The debug output has been *completely* mangled.  It's been word wrapped to the point where it's almost impossible to see what's going on.

> I think line:
> (1) pap: Normalizing Password-With-Header from base64 encoding, 28
> bytes -> 21 bytes (1) pap: Unknown header {{?v??w}} in
> Password-With-Header, re-writing to Cleartext-Password (1) pap:
> Removing &control:Password-With-Header
> is making this problem. pap module is trying to normalize password
> from ldap no matter that
> pap { normalise = no } is set.

  When you put the password into the "Password-With-Header" attribute, you are telling FreeRADIUS that the password has a header.  So it makes no sense to say "yes, it has a header, but no, we don't want to look at that header".

  If you want to use the password *as is* from LDAP, then assign it to the Cleartext-Password attribute.  That won't look for headers, and will compare the passwords as-is.

  Alan DeKok.

More information about the Freeradius-Users mailing list