mel wrote:
In that case, something is *really* wrong with my setup and I have no idea why. I can only authenticate if the password in OpenLDAP is cleartext, but never if it's hashed. debug output, radiud.conf (modules ldap section), sites-enable/default follows.
You have edited the configuration to break it. Don't do that. Again, almost all of the answers here are assuming that you're starting from the default configuration. If you're going to massively edit it and then ask "why is it broken", the answer is simple: your edits broke it.
rlm_ldap: Added SHA1-Password = iEPX+SQWIR3p67lj/0zigSWTKHg= in check items rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg="
Note that you are adding the SHA password *twice*. This isn't necessary. In this case, it looks like you've edited ldap.attrmap to map userPassword to User-Password. ...
++[eap] returns noop
And no "pap" module.
auth: type Local auth: user supplied User-Password does NOT match local User-Password
Because it's comparing the {sha}... stuff to the User-Password in the Access-Request. And it's only doing that because you deleted the PAP module from the "authorize" section. ...
### sites-enabled/default ###
authorize { preprocess ldap chap mschap suffix eap #files }
See? You edited that. A lot. And broke it. See the DEBUGGING section of "man radiusd". It explains how to modify the default *working* configuration to something that works on your local site. In this case, I'll bet that all you have to do is: 1) start with the default configuration 2) enable && configure the LDAP module 3) verify that it works. I have *no* idea why so many people install the server, and *immediately* start mangling the default configuration. All of the documentation says DON'T DO THAT. Yet every week, there's someone who does exactly that, and then wonders why the server doesn't work. It's like there's some magic documentation out there that says "randomly change things, and ignore all of the documentation that comes with the server, and all of the advice on the mailing list." I don't know where that magic documentation exists, but it must exist... because a lot of people seem to be reading it. Alan DeKok.