On 07/23/2010 02:59 PM, Alan DeKok wrote:
Tom Leach wrote:
To correct the bind problem, I added an ACL to the directory to allow 'uid=admin,o=radtree' to access the userPassword attribute, then configured the ldap module to use 'uid=admin,o=radtree' as the identity and 'secret' as the password. Now the bind succeeds, the -X output says that it's mapping userPassword -> Crypt-Password == "{crypt}4gOgBZqZgtwIw"
The "Crypt-Password" attribute is supposed to be the crypt'd version of the password *without* the "{crypt}" header. Change the mapping from "userPassword -> Crypt-Password" to "userPassword -> User-Password", and it will work.
The PAP module will look for the "{crypt}" header, and create a Crypt-Password with the appropriate value.
Hmm ... Just from looking at the rlm_ldap code (not actual testing) I thought if auto_header was set to True in the ldap config then rlm_ldap after looking up the configured password attribute would perform the steps you describe above. (strip the hash prefix and add a new attribute with the correct attribute type for the hash type) Am I confused? -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/