On 07/19/2010 08:17 AM, Lionne Stangier wrote:
Here are a couple of things to check which often trip folks up:
1) is the userPassword attribute defined in $RADDB/ldap.attrmap ? By default it isn't (I've never understood why it isn't) You should have a line in that file which looks like this:
checkItem Cleartext-Password userPassword
Nice to know. I don’t use this line before :) thank you.
I used ldapsearch -h ldap.... -b dc=allesklar,dc=com -x "uid=lionne.stangier"
I get the userPassword but encoded :(
Is there a double colon (::) after the userPassword attribute name in the ldapsearch result? (e.g. userPassword:: xxxxxxxxxxxxxxxxx). If so that means the attribute value was binary (had some non-ascii printing character in it) so it was base64 encoded. This is a bit obscure, I got tripped up by it recently too :-) Try base64 decoding the the value. I bet it'll look like {hash}xxxxxxxxxxxx where hash is one of sha1, md5, etc. and xxxxxxxxxxx is the hash digest of the password. FWIW it's not unusual when a hashing to a digest to end up with a non-ascii character (thus triggering the base64 encoding) -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/