Thanks Ivan for your reply. Here is the ldap configuration section: ldap { server = "x.x.x.x" identity = "cn=username" password = password basedn = "ou=email,o=data,c=eg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" password_header = "{CRYPT}" ldap_connections_number = 100 timeout = 15 timelimit = 10 net_timeout = 5 tls { start_tls = no } profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = radiususerPassword } and here is the debug message ++[ldap] returns ok Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "123456" [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Thanks for your support. Wessam On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt@kalik.net> wrote:
I decided to install free radius 2.1.6-2 to test it and then to upgrade my existing versions in my servers. I configured my free radius to use ldap. When I tried to authenticate from the new radius it gave me the following message "from radius -X".
Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Note that when I wrote the password encrypted "like *%@&ksjd%@sdgsadgjhsb" I was able to login but when I wrote the password in clear text "like test" I failed to login.
Password in ldap probably has a header. You can ignore the message then, because server will convert User-Password to appropriate password attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha} etc.) if auto-header is enabled. Post the whole debug.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html