I doubt it will be possible to remove that. Is it possible to authenticate to this ldap database in another way? I thought I had read of a way to bind to the ldap server as the user we are trying to authenticate, but I can not find any good info on this. Thanks again for your help. JPG
-----Original Message----- From: freeradius-users-bounces+jon=xbytenetworks.com@lists.freeradius.org [mailto:freeradius-users- bounces+jon=xbytenetworks.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, January 25, 2006 11:45 AM To: FreeRadius users mailing list Subject: Re: Yet another PEAP/LDAP Question
Jon P. Giza wrote:
Phil:
I have made the suggested changes, and new debug's below:
rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as NT-Password, value ( & op=21 rlm_ldap: looking for reply items in directory... ... modcall: entering group MS-CHAP for request 5 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Invalid NT-Password
The bit of code that generates this error checks for a length of 16 bytes (the actual bytes) or 32 (un-prefixed hex-encoded, in which case it decodes it). Therefore the userPassword attribute must be something other than the form:
0123456789abcdef0123456789abcdef
Your original debug log showed:
rlm_ldap: Added password (6BDC5527858B28XXXXXXXXXEFAF2323F) in check items
...and from the looks of the rlm_ldap code those brackets '()' are part of the data in the LDAP server, not part of the message print out function.
Quite why you'd wrap an ntPassword in round brackets I don't know, but you'll need to remove them somehow. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html