Freeradius and OpenLDAP authentication with hashed passwords

Alan DeKok aland at deployingradius.com
Tue Apr 1 09:50:37 CEST 2008


mel wrote:
> In that case, something is *really* wrong with my setup and I have no
> idea why. I can only authenticate if the password in OpenLDAP is
> cleartext, but never if it's hashed. debug output, radiud.conf (modules
> ldap section), sites-enable/default follows.

  You have edited the configuration to break it.  Don't do that.

  Again, almost all of the answers here are assuming that you're
starting from the default configuration.  If you're going to massively
edit it and then ask "why is it broken", the answer is simple: your
edits broke it.

> rlm_ldap: Added SHA1-Password = iEPX+SQWIR3p67lj/0zigSWTKHg= in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password
> == "{SHA}iEPX+SQWIR3p67lj/0zigSWTKHg="

  Note that you are adding the SHA password *twice*.  This isn't necessary.

  In this case, it looks like you've edited ldap.attrmap to map
userPassword to User-Password.

...
> ++[eap] returns noop

  And no "pap" module.

> auth: type Local
> auth: user supplied User-Password does NOT match local User-Password

  Because it's comparing the {sha}... stuff to the User-Password in the
Access-Request.  And it's only doing that because you deleted the PAP
module from the "authorize" section.
...
> ### sites-enabled/default ###
> 
> authorize {
>     preprocess
>     ldap
>     chap
>     mschap
>     suffix
>     eap
>     #files
> }

  See?  You edited that.  A lot.  And broke it.

  See the DEBUGGING section of "man radiusd".  It explains how to modify
the default *working* configuration to something that works on your
local site.

  In this case, I'll bet that all you have to do is:

 1) start with the default configuration
 2) enable && configure the LDAP module
 3) verify that it works.

  I have *no* idea why so many people install the server, and
*immediately* start mangling the default configuration.  All of the
documentation says DON'T DO THAT.  Yet every week, there's someone who
does exactly that, and then wonders why the server doesn't work.

  It's like there's some magic documentation out there that says
"randomly change things, and ignore all of the documentation that comes
with the server, and all of the advice on the mailing list."  I don't
know where that magic documentation exists, but it must exist... because
a lot of people seem to be reading it.

  Alan DeKok.



More information about the Freeradius-Users mailing list