Using a LDAP attribute value as the complete HA1 digest string

Alan abaker at cliquecom.com
Tue Mar 21 17:08:20 CET 2006 

I would like to use encrypted passwords stored as an attribute value in
LDAP. How can I tell the rlm_digest driver to use the complete User-Password
attribute value as the full Digest-HA1 string? Instead it takes the value
and appends it to the end of the of the A1 string. Please help.

~Alan



--

This hash value placed in the LDAP User-Password attribute:

$ echo -n 'alan:sip.host.com:test' | md5sum eeee888a05bbdb4b18a5ab5abd3b37c2



Authentication from a SIP server to FreeRadius rlm_ldap and rlm_digest
modules:

rlm_ldap: - authorize
rlm_ldap: performing user authorization for alan
radius_xlat:  '(uid=alan)'
radius_xlat:  'ou=People,o=host.com,o=isp'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,o=host.com,o=isp, with filter
(uid=alan)
rlm_ldap: Added password eeee888a05bbdb4b18a5ab5abd3b37c2 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user alan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3634
modcall: leaving group authorize (returns ok) for request 3634
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3634
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-User-Name = "alan"
        Digest-Realm = "sip.host.com"
        Digest-Nonce = "44202102581bdded7ea02108890770e6ad22e27e"
        Digest-URI = "sip:sip.host.com"
        Digest-Method = "REGISTER"
A1 = alan:sip.host.com:eeee888a05bbdb4b18a5ab5abd3b37c2
A2 = REGISTER:sip:sip.host.com
KD =
263c616981c1331d745557f8c7685613:442025f0efb6eb92635e3b938327dfee91ea8b12:f0
8bbaef30f8f1f7c252330c693a3bb3 
rlm_digest: FAILED authentication
  modcall[authenticate]: module "digest" returns reject for request 3634
modcall: leaving group authenticate (returns reject) for request 3634
auth: Failed to validate the user.

More information about the Freeradius-Users mailing list