Issue with PAP/LDAP authentication after upgrade FR 2.0.5 to FR 2.1.1

Thibault Le Meur Thibault.LeMeur at supelec.fr
Wed Dec 3 15:55:52 CET 2008 

Hi Gurus,

I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some 
authentications stop working.
For these specific authentications the ldap module is used to retrieve 
the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is 
used to compare the passwords (auto_header is turned on in the pap module).

Before 2.1.1 everything was working.
After 2.1.1, I get Authentication Failures because passwords don't match.
I've analysed the debug log and I wonder if the auto_header of the pap 
module is really working!


Here is an abstract of the radius debug logs (usernames,passwords, and 
IP address have been obfuscated):
rad_recv: Access-Request packet from host 10.1.1.1 port 54251, id=6, 
length=94
        User-Name = "username"
        User-Password = "USERPASSWD"
        NAS-IP-Address = 10.1.1.1
        NAS-Port = 6
        Service-Type = Dialout-Framed-User
        Calling-Station-Id = "10.1.1.10"
        NAS-Identifier = "OpenVpn"
        NAS-Port-Type = Virtual
server mycompany-vpn-perso-ovpn {
+- entering group authorize {...}
++[preprocess] returns ok
...

[files_mycompany_vpn_perso_ovpn] users: Matched entry DEFAULT at line 2
...

++[files_mycompany_vpn_perso_ovpn] returns ok
++- entering policy redundant {...}
[ldap1] performing user authorization for username
[ldap1]         expand: %{Stripped-User-Name} ->
[ldap1]         expand: %{User-Name} -> username
[ldap1]         expand: 
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(MyCompany-AccountStatus=active)) 
-> (&(uid=username)(MyCompany-AccountStatus=active))
[ldap1]         expand: dc=mycompany, dc=fr -> dc=mycompany, dc=fr
..
rlm_ldap: extracted attribute Pool-Name from generic item 
Pool-Name:=Ovpn_Main_Pool
[ldap1] Added User-Password = {MD5}/9sLgyXJRml0Lds4xd6rOg== in check items
[ldap1] looking for check items in directory...
rlm_ldap: mycompanyNTPassword -> NT-Password == 
0xe0b531f2a8a5cb7ecd2b4951b1d79E1d
[ldap1] looking for reply items in directory...
[ldap1] user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap1] returns ok
++- policy redundant returns ok
...

==> Until this line everything is ok: the userPassword attribute is 
added to User-Password because I have the line "password_attribute = 
userPassword" uncommented in my ldap module setup. Note also that I have 
the password in NT-Hashed format as well, but I don't intend to use it 
in this particular authentication process.

++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with 
Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known 
good"               !!!
!!! clear text password is in Cleartext-Password, and not in 
User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "USERPASSWD"
[pap] Using clear text password "{MD5}/9sLgyXJRml0Lds4xd6rOg=="
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
} # server mycompany-vpn-perso-ovpn
Using Post-Auth-Type Reject

==> I have no reference to the User-Password attribute in my setup 
(either in the user "file" or in the radiusprofile taken from the ldap 
directory. It seems like the ldap module adds the User-Password 
attribute and then the PAP module decides to change it to 
Cleartext-Password instead of processing the auto_header feature and 
setting the MD5-Password.

What do you think ?
Is there somewhere in my setup where I could have broken the normal FR 
processing ?

Many thanks in advance,
Thibault

More information about the Freeradius-Users mailing list