<div dir="ltr"><div><div><div><div><br>You're absolutely right (as usual!). Thank you very much for help, Alan.<br><br></div>Unfortunately both LDAP and Freeradius came to me with working server, so there're strange things in the configs. In module/ldap I've found this:<br><br>password_attribute = sambaNTPassword<br><br></div>When I commented it out PAP started to work as it should! <br><br></div>For now I have to find why it was done and what can stop to work without this string. Looks really weird. \<br></div>Thanx again!<br><div><div><div><br><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 2, 2015 at 3:27 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Jan 2, 2015, at 7:26 AM, sb <<a href="mailto:superabx@gmail.com">superabx@gmail.com</a>> wrote:<br>
> Upgraded to 2.2.6, nothing changes.<br>
<br>
</span> Because the LDAP database is storing the NT password in the userPassword field.<br>
<span class=""><br>
> [local] Added User-Password = 1D*********************9B in check items<br>
<br>
</span> Which looks to be 32 hex characters. i.e. the NT password.<br>
<br>
Here’s a simple question. Is the “correct” password for the user really “1D…”, or is it something else?<br>
<span class=""><br>
> [local] looking for check items in directory...<br>
> [local] sambaNtPassword -> NT-Password == 0x31**********************************************************42<br>
<br>
</span> Which is the *previous* password (1D…) converted to hex. i.e. the “sambaNtPassword” field doesn’t look like it’s actually an NT password. It’s something else.<br>
<span class=""><br>
> I can not understand why is this:<br>
><br>
> [local] Added User-Password = 1D*********************9B in check items<br>
><br>
> There is nothing of User-Password in ldap.attrmap,<br>
<br>
</span> The LDAP module adds it automatically. “userPassword” in LDAP maps to “User-Password’ in RADIUS.<br>
<span class=""><br>
> why the radius adds it from sambaLmPassword?<br>
<br>
</span> It doesn’t. I have no idea why you think that’s happening.<br>
<span class=""><br>
> I can not put cleartext passwords in LDAP, so I have to work with NT-hashed passwords only.<br>
<br>
</span> Then make sure to put an “{nt}” prefix in front of them in LDAP. I already said to do this.<br>
<br>
LDAP should have “userPassword” with value “{nt4}1D…."<br>
<span class=""><br>
> So, how to tell the radius that User-Password and Cleartext-Password are empty and it has to operate with NT-Password?<br>
<br>
</span> You don’t. What you’re doing with LDAP is incorrect. The data you’re putting into the userPassword field in LDAP is *wrong*. The data that’s in the sambaNtPassword field is VERY WRONG.<br>
<br>
You can work around it by doing the following. In “sites-enabled/default”, look for the “authorize” section. It should have a line which is “ldap”. After that line, add the following:<br>
<br>
update control {<br>
NT-Password := “%{control:User-Password}”<br>
User-Password != *<br>
}<br>
<br>
This will make the NT-Password have the value of the userPassword field. And then it deletes the *wrong* User-Password.<br>
<br>
But the underlying issue is that the data in LDAP is wrong. You’re putting NT-Passwords into the userPassword field. That’s wrong.<br>
<div class="HOEnZb"><div class="h5"><br>
Alan DeKok.<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div></div>