... So server translates User-Password to Cleartext-Password and the check fails since the password is encrypted.
Understood, yes.
So at the moment the server is reading your password hash out of the LDAP directory and treating it as a plaintext password string. You can test this by providing the password hash as your password during PAP authentication. I Noticed from that sample hash, your passwords have the correct {SSHA} prefix, this means you should be able to use ldap { auto_header = yes } And the server will automatically write the hash to the correct internal attribute. Least thats how it works on ours, and were using an OpenLDAP setup similar to your.
Configure ldap section to use SSHA-Password as password attribute instead.
That's what I believed I HAD done with the following, from the diff of my radiusd.conf file against the default radiusd.conf that ships with 2.0.3, orignally included after the signature in my first message:
@@ -820,7 +825,8 @@ # Novell may require TLS encrypted sessions before returning # the user's password. # - # password_attribute = userPassword + password_attribute = userPassword + password_radius_attribute = "SSHA-Password"
I have no idea what password_radius_attribute is ?? Is that a legacy configuration item ? If your password is indeed stored in the LDAP 'userPassword' attribute which is the default then: # Set password_attribute = nspmPassword to get the # user's password from a Novell eDirectory # backend. This will work ONLY IF FreeRADIUS has been # built with the --with-edir configure option. # password_attribute = userPassword should suffice. The other way you can do this is by using the LDAP module as an authentication module. When used in the authentication section it'll attempt to bind to the LDAP server using the users UID and Password. I wouldn't recommend it in your case though, as binds are comparatively slow, and it'll only work with PAP.
If the above is not the correct way to accomplish what I am trying to do, I would be very grateful if someone would point me in the right direction to find what is the correct way.
The radtest test against a user in the LDAP data succeeds. How do I get from here to having successful authentication through TTLS against the same LDAP data, without the above warning?
radtest j_doe '*SANITIZED*' localhost:1814 1 testing123 User-Name = "j_doe" User-Password = "*SANITIZED*" NAS-IP-Address = 192.168.7.47 NAS-Port = 1
Older versions of radtest would report receiving "Access-Accept", while this one silently exists. However, radiusd in this case says:
Ready to process requests. User-Name = "j_doe" User-Password = "*SANITIZED*" NAS-IP-Address = 192.168.7.47 NAS-Port = 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "j_doe", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for j_doe expand: %{Stripped-User-Name} -> expand: %{User-Name} -> j_doe expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(search filter trimmed for brevity)) -> (&(cn=j_doe)(search filter trimmed for brevity)) expand: ou=people,dc=concordia,dc=ca -> ou=people,dc=concordia,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost boris:389, authentication 0 rlm_ldap: bind as cn=iits_neg,ou=AdminRoles,dc=concordia,dc=ca/*SANITIZED* to localhost boris:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=concordia,dc=ca, with filter (&(cn=j_doe)(search filter trimmed for brevity)) rlm_ldap: Added User-Password = {SSHA}*SANITIZED*QDmffXBQkU42Wt9x*SANITIZED*== in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user j_doe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "*SANITIZED*" rlm_pap: Using SSHA encryption. rlm_pap: Normalizing SSHA1-Password from base64 encoding rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [j_doe/*SANITIZED*] (from client localhost port 1) Finished request 0. Going to the next request
Thanks for following up, and for any additional help ...