LDAP backend and Password Encryption

Alan DeKok aland at deployingradius.com
Mon Aug 18 16:41:46 CEST 2008

Phillip Heller wrote:
> I'm using the Centos Directory Server, which defaults to SSHA encryption
> on the userPassword attribute.

  That should work.

> It would seem that freeradius does not authenticate against SSHA.  I did
> try a few other encryption policies (crypt, md5) and set the
> password_header value appropriately.

  In the LDAP module?  That configuration is deprecated, and isn't even
documented in 2.0.5.

  What is the output of debugging mode?

  If the contents of the "userPassword" field are just the SSHA hash,
you will have to tell the FreeRADIUS that the field is the SSHA hash.
Otherwise, it has no idea.

  In general, it's best to use the {ssha} header in the userPassword
field.  The LDAP server should handle it fine, and FreeRADIUS will use
it to Just Do the Right Thing.

  Alan DeKok.

More information about the Freeradius-Users mailing list