On Jun 3, 2024, at 6:11 AM, Oliver Lorenz <dev@lrnz.at> wrote:
while testing LDAP authentication with FreeIPA, I noticed PAP complained about no "known good" password found for the user. After looking into it, I saw that the Password.With-Header attribute has an unknown header. PAP rewrote it to Cleartext and obviously failed to verify it.
Below is a patch to make authentication work. The additional password type was necessary because password_process_header in password.c always strips the header it finds, which sucks for OpenLDAP and 389ds passwords because they encode the hash algorithm there.
I would really appreciate it if somebody could provide some feedback. Since it's such a massive codebase, chances are that I'm doing it (very) wrong.
I think it looks mostly OK. Can you submit a PR to GitHub? Or at least send a tar / zip file to me off-list. Patches tend to get mangled when they get sent as in-line text in email. Alan DeKok.