On Παρ, Σεπ 07 2018 at 04:46:35 μμ, Alan DeKok <aland@deployingradius.com> wrote: Hi Alan and all, a quick update on this, to have it for future reference.
Map the LDAP userPassword attribute to a binary attribute, e.g. Tmp-Octets-0. Then, copy that to Cleartext-Password:
ldap if (control:Tmp-Octets-0) { update control { Cleartext-Password := &control:Tmp-Octets-0 } }
quickly tried your proposed fix in production. Did not seem to work:
Hmm..
The above solution did not work exactly as is. A minor patch was needed: if (control:Tmp-Octets-0) { update control { Cleartext-Password := "%{string:control:Tmp-Octets-0}" } } The binary attribute would need to be converted to string for the comparison in pap to work.
... (33318) Fri Sep 7 15:41:31 2018: Debug: pap: Login attempt with password (33318) Fri Sep 7 15:41:31 2018: Debug: pap: Comparing with "known good" Cleartext-Password (33318) Fri Sep 7 15:41:31 2018: ERROR: pap: Cleartext password does not match "known good" password (33318) Fri Sep 7 15:41:31 2018: Debug: pap: Passwords don't match
You'll have to look at the contents of Cleartext-Password to see what's going on here. Just log it to a file.
radiusd -X showed the exact value of Cleartext-Password. <academic interest> I wonder how I could log it to a file however. detail.log did not work. Should I use linelog? </academic interest>
Could it be that radclient actually sends '\\' at the end of the password, as shown in the debug output?
No. That's just due to the rules for escaping the double-quoted string.
Indeed I verified that in a pcap capture. The whole escaping in shell strings always confused me so I try to stay away from it :) Have you implemented the string escape rules of bash? For example I tried to send a password ending in '\\' through radclient. I had to input User-Password = "test123\\\\\\\\" in the attribute file!
The ldap stored password contains only a single '\' in the end. PAP comparison therefore seems to fail. Is there a way to send a single '\' at the end of User-password to debug this? Am I again missing something?
The issue is that backslash is used inside strings to mean that something is being escaped. So it can't really be used all by itself.
The only other solution then is to copy the User-Password to an octets attribute, and compare them manually:
if (control:Tmp-Octets-0 && User-Password) { update request { Tmp-Octets-0 := &User-Password }
if (&control:Tmp-Octets-0 == &request:Tmp-Octets-0) { accept } else { reject }
}
I did't need to resort to this. I think that was good, because I didn't like to idea to bypass the pap authentication module. Thanks again for the support. Best regards, Kostas -- Kostas Zorbadelos http://gr.linkedin.com/in/kzorba