Christophe Saillard wrote:
I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
I use FR for EAP-TTLS/PAP authentication with LDAP.
FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword attributes which are stored with crypt and/or MD5 hash, the passwords are not the same (even it's better if the are) :
No. In 1.1.7, the server is doing LDAP "bind as user" for authentication. It is *completely* ignoring the crypt/MD5 passwords. ...
rlm_ldap: Added password {MD5}xxxxx in check items rlm_ldap: Added password {crypt}xxxxx in check items ... Processing the authenticate section of radiusd.conf modcall: entering group LDAP_OSIRIS for request 29 rlm_ldap: - authenticate rlm_ldap: login attempt by "saillard" with password "mycleartextpassword" rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ to ldaps://ldapuds.u-strasbg.fr rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user mylogin authenticated succesfully
See? LDAP "bind as user".
Now with FR 2.1.3, it looks like only the first password attribute is used :
In 2.1.3, the "bind as user" functionality isn't used if the LDAP server returns a "known good" password. ...
[ldap] Added User-Password = {crypt}xxxxx in check items [ldap] Added User-Password = {MD5}xxxxx in check items ... ++[pap] returns updated Found Auth-Type = PAP +- entering group authenticate {...} [pap] login attempt with password "mycleartextpassword" [pap] Using CRYPT encryption. [pap] Passwords don't match
The solution is simple: (1) fix it so that the passwords are NOT returned from LDAP or (2) force "Auth-Type := LDAP" inside of the TTLS tunnel. This might break other things, but it will make the server work the same way as in 1.1.7. Alan DeKok.