PAP: adding support for OpenLDAP and 389ds PBKDF2 passwords
Alan DeKok
aland at deployingradius.com
Fri Apr 25 12:36:55 UTC 2025
It seems fine on a quick look. If you send a PR we'll review it and merge it in.
The previous PR wasn't merged because it had buffer overflows, and the author didn't fix them.
> On Apr 25, 2025, at 7:33 AM, Gerald Vogt <vogt at spamcop.net> wrote:
>
> Hi,
>
> I have noticed that our radius server doesn't recognize PBKDF2 passwords from our freeipa/389ds ldap server.
>
> Picking up from this message last year
>
> https://lists.freeradius.org/pipermail/freeradius-devel/2024-June/014382.html
>
> and seeing that pr #5329
>
> https://github.com/FreeRADIUS/freeradius-server/pull/5329
>
> was closed as stale, I have looked into it and put together something myself:
>
> https://github.com/gvde/freeradius-server/compare/master...pbkdf-389ds
>
> It's currently against the master branch and I basically only used the pap module tests to verify it's working. It took me a while to understand the control flow. I went a slightly different path then outlined in #5329 but I think it's closer to the other types.
>
> All pap module tests succeed thus I guess it's correct. Tested with Password.PBKDF2 (which I have implemented for additional support) as well as Password.With-Header.
>
> We are running 3.2 at the moment thus I would also have to backport it to 3.2, but as it took a couple of hours to get a working and useful development environment set up, I don't want to waste any more time on it if there isn't any interest...
>
> Cheers,
>
> Gerald
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
More information about the Freeradius-Devel
mailing list