Tim Palmer wrote:
With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP server, and after putting in a Cleartext-Passwrod entry in ldap.attrsmap,
That's the issue. DON'T do that.
rlm_ldap would authorize fine, and everything seemed ok, except I couldn't get pap to understand the encryption scheme:
[pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm."
Because you told it that the userPassword LDAP field was a clear-text password. The PAP module is *supposed* to do the "auto-header" thing itself. It can't, becaue you told it that the above text WAS the password.
Is it only some odd ball, simplistic configurations like mine that this should be required? I was unable to find any mention of this as an ldap module setting except in rlm_ldap.c, which I didn't think to look in until after the fact.
The LDAP auto-header configuration is deprecated. The PAP module is supposed to do that work now. Alan DeKok.