rlm_ldap ignores password_radius_attribute

Alexander Clouter alex at digriz.org.uk
Mon Apr 26 12:00:36 CEST 2010 

Hi,

Looks like the rlm_ldap module ignores 'password_radius_attribute'[1] so 
something like the following completely untested patch is needed.  The 
Novhell eDirectory code probably needs tweaking also to honour this 
variable, or alternatively remove 'password_radius_attribute' altogether 
and make:
----
int attr = PW_CLEARTEXT_PASSWORD;
----

Something needs to be done, otherwise there is no way to deal with:
----
ldap_local] performing user authorization for 0021040f7c04
[ldap_local]    expand: (&(objectClass=ieee802Device)(cn=%{Stripped-User-Name})) -> (&(objectClass=ieee802Device)(cn=0021040f7c04))
[ldap_local]    expand: ou=comms,o=soas -> ou=comms,o=soas
  [ldap_local] ldap_get_conn: Checking Id: 0
  [ldap_local] ldap_get_conn: Got Id: 0
  [ldap_local] performing search in ou=comms,o=soas, with filter (&(objectClass=ieee802Device)(cn=0021040f7c04))
[ldap_local] Added User-Password = <AHEM> in check items
[ldap_local] No default NMAS login sequence
[ldap_local] looking for check items in directory...
[ldap_local] looking for reply items in directory...
[ldap_local] user 0021040f7c04 authorized to use remote access
  [ldap_local] ldap_release_conn: Release Id: 0
+++[ldap_local] returns ok
++- if (Stripped-User-Name =~ /^[0-9a-f]{12}$/) returns ok
++ ... skipping else for request 2048: Preceding "if" was taken
Found Auth-Type = digest
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[digest]     rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "0021040f7c04"
        Digest-Realm = "soas.ac.uk"
        Digest-Nonce = <AHEM>
        Digest-URI = "sip:soas.ac.uk"
        Digest-Method = "REGISTER"
----

Cheers

[1] http://wiki.freeradius.org/Rlm_ldap

diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index 133bcb6..0155aa4 100644
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -148,6 +148,7 @@ typedef struct {
 	char           *access_attr;
 	char           *passwd_hdr;
 	char           *passwd_attr;
+	char           *passwd_rad_attr;
 	int		auto_header;
 	char           *dictionary_mapping;
 	char	       *groupname_attr;
@@ -263,6 +264,8 @@ static const CONF_PARSER module_config[] = {
 	 offsetof(ldap_instance,passwd_hdr), NULL, NULL},
 	{"password_attribute", PW_TYPE_STRING_PTR,
 	 offsetof(ldap_instance,passwd_attr), NULL, NULL},
+	{"password_radius_attribute", PW_TYPE_STRING_PTR,
+	 offsetof(ldap_instance,passwd_rad_attr), NULL, NULL},
 	{"auto_header", PW_TYPE_BOOLEAN,
 	 offsetof(ldap_instance,auto_header), NULL, "no"},
 
@@ -1497,7 +1500,9 @@ static int ldap_authorize(void *instance, REQUEST * request)
 			if (passwd_vals) for (i = 0;
 					      passwd_vals[i] != NULL;
 					      i++) {
-				int attr = PW_USER_PASSWORD;
+				int attr = (inst->passwd_rad_attr)
+						? dict_attrbyname(inst->passwd_rad_attr)
+						: PW_USER_PASSWORD; /* should this not default to now PW_CLEARTEXT_PASSWORD */
 
 				if (strlen(passwd_vals[i]) == 0)
 					continue;

More information about the Freeradius-Devel mailing list