PAP: adding support for OpenLDAP and 389ds PBKDF2 passwords
Alan DeKok
aland at deployingradius.com
Mon Jun 3 13:11:30 UTC 2024
On Jun 3, 2024, at 6:11 AM, Oliver Lorenz <dev at lrnz.at> wrote:
> while testing LDAP authentication with FreeIPA, I noticed PAP complained about no "known good" password found for the user. After looking into it, I saw that the Password.With-Header attribute has an unknown header. PAP rewrote it to Cleartext and obviously failed to verify it.
>
> Below is a patch to make authentication work. The additional password type was necessary because password_process_header in password.c always strips the header it finds, which sucks for OpenLDAP and 389ds passwords because they encode the hash algorithm there.
>
> I would really appreciate it if somebody could provide some feedback. Since it's such a massive codebase, chances are that I'm doing it (very) wrong.
I think it looks mostly OK. Can you submit a PR to GitHub? Or at least send a tar / zip file to me off-list. Patches tend to get mangled when they get sent as in-line text in email.
Alan DeKok.
More information about the Freeradius-Devel
mailing list