PAP: adding support for OpenLDAP and 389ds PBKDF2 passwords
Gerald Vogt
vogt at spamcop.net
Fri Apr 25 11:33:25 UTC 2025
Hi,
I have noticed that our radius server doesn't recognize PBKDF2 passwords
from our freeipa/389ds ldap server.
Picking up from this message last year
https://lists.freeradius.org/pipermail/freeradius-devel/2024-June/014382.html
and seeing that pr #5329
https://github.com/FreeRADIUS/freeradius-server/pull/5329
was closed as stale, I have looked into it and put together something
myself:
https://github.com/gvde/freeradius-server/compare/master...pbkdf-389ds
It's currently against the master branch and I basically only used the
pap module tests to verify it's working. It took me a while to
understand the control flow. I went a slightly different path then
outlined in #5329 but I think it's closer to the other types.
All pap module tests succeed thus I guess it's correct. Tested with
Password.PBKDF2 (which I have implemented for additional support) as
well as Password.With-Header.
We are running 3.2 at the moment thus I would also have to backport it
to 3.2, but as it took a couple of hours to get a working and useful
development environment set up, I don't want to waste any more time on
it if there isn't any interest...
Cheers,
Gerald
More information about the Freeradius-Devel
mailing list