Interestingly the bind as the root DN works with password supplied in clear-text through the ldap {} module... Thanks Sambuddho On Sat, 2008-07-05 at 18:03 -0400, Sambuddho Chakravarty wrote:
Hello Ivan Does that mean that I cannot authenticate against a LDAP server from a freeradius server using cleartext passwords. So the freeradius client needs to send the password in encrypted format. But other programs which using LDAP server to authenticate (eg. the pam_ldap ) takes as input the cleartext password. Is there a solution to this ? Maybe I am mistaken somewhere . Please let me know. Thanks Sambuddho On Fri, 2008-07-04 at 09:56 +0100, Ivan Kalik wrote:
Problem still persists. What do you mean by the {crypt} header.
From RFC2256:
5.36. userPassword
( 2.5.4.35 NAME 'userPassword' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
Passwords are stored using an Octet String syntax and are not encrypted.
Since you are intent on violating RFC you need to add a password header to indicate what type of encryption is used.
rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials ++[ldap1] returns reject auth: Failed to validate the user.
Without the header userPassword is treated as clear text (not crypted value) and that does't match.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html