Hi, Looks like the rlm_ldap module ignores 'password_radius_attribute'[1] so something like the following completely untested patch is needed. The Novhell eDirectory code probably needs tweaking also to honour this variable, or alternatively remove 'password_radius_attribute' altogether and make: ---- int attr = PW_CLEARTEXT_PASSWORD; ---- Something needs to be done, otherwise there is no way to deal with: ---- ldap_local] performing user authorization for 0021040f7c04 [ldap_local] expand: (&(objectClass=ieee802Device)(cn=%{Stripped-User-Name})) -> (&(objectClass=ieee802Device)(cn=0021040f7c04)) [ldap_local] expand: ou=comms,o=soas -> ou=comms,o=soas [ldap_local] ldap_get_conn: Checking Id: 0 [ldap_local] ldap_get_conn: Got Id: 0 [ldap_local] performing search in ou=comms,o=soas, with filter (&(objectClass=ieee802Device)(cn=0021040f7c04)) [ldap_local] Added User-Password = <AHEM> in check items [ldap_local] No default NMAS login sequence [ldap_local] looking for check items in directory... [ldap_local] looking for reply items in directory... [ldap_local] user 0021040f7c04 authorized to use remote access [ldap_local] ldap_release_conn: Release Id: 0 +++[ldap_local] returns ok ++- if (Stripped-User-Name =~ /^[0-9a-f]{12}$/) returns ok ++ ... skipping else for request 2048: Preceding "if" was taken Found Auth-Type = digest !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [digest] rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = "0021040f7c04" Digest-Realm = "soas.ac.uk" Digest-Nonce = <AHEM> Digest-URI = "sip:soas.ac.uk" Digest-Method = "REGISTER" ---- Cheers [1] http://wiki.freeradius.org/Rlm_ldap diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 133bcb6..0155aa4 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -148,6 +148,7 @@ typedef struct { char *access_attr; char *passwd_hdr; char *passwd_attr; + char *passwd_rad_attr; int auto_header; char *dictionary_mapping; char *groupname_attr; @@ -263,6 +264,8 @@ static const CONF_PARSER module_config[] = { offsetof(ldap_instance,passwd_hdr), NULL, NULL}, {"password_attribute", PW_TYPE_STRING_PTR, offsetof(ldap_instance,passwd_attr), NULL, NULL}, + {"password_radius_attribute", PW_TYPE_STRING_PTR, + offsetof(ldap_instance,passwd_rad_attr), NULL, NULL}, {"auto_header", PW_TYPE_BOOLEAN, offsetof(ldap_instance,auto_header), NULL, "no"}, @@ -1497,7 +1500,9 @@ static int ldap_authorize(void *instance, REQUEST * request) if (passwd_vals) for (i = 0; passwd_vals[i] != NULL; i++) { - int attr = PW_USER_PASSWORD; + int attr = (inst->passwd_rad_attr) + ? dict_attrbyname(inst->passwd_rad_attr) + : PW_USER_PASSWORD; /* should this not default to now PW_CLEARTEXT_PASSWORD */ if (strlen(passwd_vals[i]) == 0) continue;