1.1.7, ldap and auth-type

[Phil Mayers]

On Mon, 2007-08-27 at 13:56 +0200, Ivan Lago wrote:
> I tried to make it explicit, but it did not work.
> Anyway that parameter is defaulted to yes, as you said, but it's  
> being ignored. Here is a dump of the loading of the module at server  
> startup, without adding the set_auth_type explicitally :

Ah, ok, I see what's happening.

The reason this has changed is: looking at the 1.1.7 rlm_ldap code, a
new "should we set auth-type" check is used:

if (inst->set_auth_type &&
    (pairfind(*check_pairs, PW_AUTH_TYPE) == NULL) &&
    request->password &&
    (request->password->attribute == PW_USER_PASSWORD) &&
    !added_known_password) {
        pairadd(check_pairs, pairmake("Auth-Type", inst->xlat_name,
T_OP_EQ));
        DEBUG("rlm_ldap: Setting Auth-Type = %s", inst->xlat_name);
}

That is, the module will only set Auth-Type to itself if all of the
following are true:

 * the module is set to do this
 * there's no auth-type already set
 * there's a User-Password in the request
 * the LDAP module didn't add a Cleartext-Password to the config items

That last is the problem - from your original mail:

rlm_ldap: performing search in ou=Network,dc=ifom-ieo-campus,dc=it,  
with filter (macAddress=00:17:f2:f5:2b:da)
rlm_ldap: Added password 00:17:f2:f5:2b:da in check items

So, you've two several options:

 1. Update the LDAP directory to contain the correct plaintext password,
configure "set_auth_type = no" and add the pap module to authorize and
authenticate:

authorize {
  preprocess
  ...blah
  redundant {
    macbypass1
    macbypass2
  }
  # MUST go last...
  pap
}
authenticate {
  Auth-Type PAP {
    pap
  }
  ...etc.
}

 2. Since it's wrong anyway (00:11:22:33:44:55 != 001122334455), either
remove the plaintext password from the LDAP directory or remove the
"password_attribute" config item from the module instance.

Why *are* you copying a "wrong" password from LDAP to the config items?
How is the LDAP server authenticating them?