On Mar 11, 2020, at 10:31 AM, Клеусов Владимир Сергеевич via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
In freeradius logs, this is ldap: Bind credentials incorrect: Invalid credentials): [testuser/testpasswd2217287 First the request for a normal password and then the otp 2217287 What's wrong ?
The user entered the password followed by the OTP, all as one field. Then, you configured FreeRADIUS to send all that to LDAP. The general practice is to put the 6-digit OTP first, then the password. Then, split them via something like this: if (User-Password =~ /^(......)(.*)$/) { update request { User-Password := "%{2}" OTP-Password := "%{1}" } } You will need to edit raddb/dictionary in order to define OTP-Password. This lets you use User-Password as normal to connect to LDAP, and authenticate the user. You can then check OTP-Password however you want. Alan DeKok.