On Mon, 2007-08-27 at 13:56 +0200, Ivan Lago wrote:
I tried to make it explicit, but it did not work. Anyway that parameter is defaulted to yes, as you said, but it's being ignored. Here is a dump of the loading of the module at server startup, without adding the set_auth_type explicitally :
Ah, ok, I see what's happening. The reason this has changed is: looking at the 1.1.7 rlm_ldap code, a new "should we set auth-type" check is used: if (inst->set_auth_type && (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) && request->password && (request->password->attribute == PW_USER_PASSWORD) && !added_known_password) { pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name, T_OP_EQ)); DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name); } That is, the module will only set Auth-Type to itself if all of the following are true: * the module is set to do this * there's no auth-type already set * there's a User-Password in the request * the LDAP module didn't add a Cleartext-Password to the config items That last is the problem - from your original mail: rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it, with filter (macAddress=00:17:f2:f5:2b:da) rlm_ldap: Added password 00:17:f2:f5:2b:da in check items So, you've two several options: 1. Update the LDAP directory to contain the correct plaintext password, configure "set_auth_type = no" and add the pap module to authorize and authenticate: authorize { preprocess ...blah redundant { macbypass1 macbypass2 } # MUST go last... pap } authenticate { Auth-Type PAP { pap } ...etc. } 2. Since it's wrong anyway (00:11:22:33:44:55 != 001122334455), either remove the plaintext password from the LDAP directory or remove the "password_attribute" config item from the module instance. Why *are* you copying a "wrong" password from LDAP to the config items? How is the LDAP server authenticating them?