On Wed, Jan 13, 2010 at 10:48 PM, Alan DeKok <aland@deployingradius.com> wrote:
Eric Swanson wrote:
... [ldap] Added User-Password = {SSHA}i9--censored--JI in check items [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x4338--censored--4531 rlm_ldap: sambaLmPassword -> LM-Password == 0x4637--censored--4545
You have 3 versions of the "known good" password for the user. Which one do you want to use?
Alan: Thanks so much for getting back to me. My intent is to use the SSHA password -- of the ones my LDAP system must maintain, I assumed it would be the most straightforward (better than those Windows ones anyway).
[pap] Using CRYPT encryption.
And the "pap" module isn't configured to use any of them.
The part that seems strange to me is that the system clearly identifies the type of passwords we are using ("Normalizing SSHA1-Password from base64 encoding" seems proof enough of that), but a couple lines later PAP has decided to use CRYPT encryption for some reason. I can't imagine what I've done to make the system believe it should use CRYPT instead of SSHA.
Check the configuration of the PAP module.
Here's my modules/pap in its entirety: pap { auto_header = yes } I haven't found any information on other (non-deprecated) directives that go in this file. If there's a way to tell PAP to use the SSHA password, I would _love_ to hear it. There's not much to the rest of my PAP-related configuration. In sites-available/default under the authorization section, PAP is listed last, just like this: pap In sites-available/default under the authentication section, PAP is listed first like this: Auth-Type PAP { pap } I'm excited about your note's implication that there's a way to tell PAP which password to use. If that's really true, I think all I need is to be pointed to information about how to do so. Thankx, E.