PAP: adding support for OpenLDAP and 389ds PBKDF2 passwords

Gerald Vogt vogt at spamcop.net
Fri Apr 25 11:33:25 UTC 2025


Hi,

I have noticed that our radius server doesn't recognize PBKDF2 passwords 
from our freeipa/389ds ldap server.

Picking up from this message last year

https://lists.freeradius.org/pipermail/freeradius-devel/2024-June/014382.html

and seeing that pr #5329

  https://github.com/FreeRADIUS/freeradius-server/pull/5329

was closed as stale, I have looked into it and put together something 
myself:

https://github.com/gvde/freeradius-server/compare/master...pbkdf-389ds

It's currently against the master branch and I basically only used the 
pap module tests to verify it's working. It took me a while to 
understand the control flow. I went a slightly different path then 
outlined in #5329 but I think it's closer to the other types.

All pap module tests succeed thus I guess it's correct. Tested with 
Password.PBKDF2 (which I have implemented for additional support) as 
well as Password.With-Header.

We are running 3.2 at the moment thus I would also have to backport it 
to 3.2, but as it took a couple of hours to get a working and useful 
development environment set up, I don't want to waste any more time on 
it if there isn't any interest...

Cheers,

Gerald


More information about the Freeradius-Devel mailing list