PAP: adding support for OpenLDAP and 389ds PBKDF2 passwords

Alan DeKok aland at deployingradius.com
Fri Apr 25 12:36:55 UTC 2025


  It seems fine on a quick look.  If you send a PR we'll review it and merge it in.

  The previous PR wasn't merged because it had buffer overflows, and the author didn't fix them.

> On Apr 25, 2025, at 7:33 AM, Gerald Vogt <vogt at spamcop.net> wrote:
> 
> Hi,
> 
> I have noticed that our radius server doesn't recognize PBKDF2 passwords from our freeipa/389ds ldap server.
> 
> Picking up from this message last year
> 
> https://lists.freeradius.org/pipermail/freeradius-devel/2024-June/014382.html
> 
> and seeing that pr #5329
> 
> https://github.com/FreeRADIUS/freeradius-server/pull/5329
> 
> was closed as stale, I have looked into it and put together something myself:
> 
> https://github.com/gvde/freeradius-server/compare/master...pbkdf-389ds
> 
> It's currently against the master branch and I basically only used the pap module tests to verify it's working. It took me a while to understand the control flow. I went a slightly different path then outlined in #5329 but I think it's closer to the other types.
> 
> All pap module tests succeed thus I guess it's correct. Tested with Password.PBKDF2 (which I have implemented for additional support) as well as Password.With-Header.
> 
> We are running 3.2 at the moment thus I would also have to backport it to 3.2, but as it took a couple of hours to get a working and useful development environment set up, I don't want to waste any more time on it if there isn't any interest...
> 
> Cheers,
> 
> Gerald
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html



More information about the Freeradius-Devel mailing list