text "files" authentcation fails (2.0.3)

oz oz at bluemonk.de
Fri Jun 6 14:50:46 CEST 2008

First, thanks for supporting anyway!

Alan DeKok wrote:
> oz wrote:
>> I have no idea how to change this Auth-Type.
>   You don't.  You fix the configuration files to use the new recommended
> practice, which started being recommended in version 1.1.4.

If you mean the cistron-compatibilty, I know it is not the recommended 
syntax. But we need this compatibility, because we can't change our 
users-processing at the moment.

I'm sorry that I wasn't aware that "Password" has to be replaced with 
"Cleartext-Password" in 2.x. I read the docu before, but didn't find it 
mentioned explicitly.

>> [/usr/local/etc/raddb/users]:1 Cistron compatibility checks for entry
>> odsl ...
>>         Changing 'Password =' to 'Password =='
>>         Changing 'Huntgroup-Name =' to 'Huntgroup-Name =='
>>         Changing 'Simultaneous-Use =' to 'Simultaneous-Use +='
>   Fix those entries

All I needed to do was replacing

odsl    Password = "XYZ8AB"


odsl    Cleartext-Password = "XYZ8AB"

in my users-file, and it instantly worked!

>   Also, change ALL "Password = ..." or "Password == .." to
> "Cleartext-Password := ..."  See the FAQ for an example.

That was the key and works under "compat = cistron" also.

>> ++[preprocess] returns ok
>> WARNING: Found User-Password == "...".
>> WARNING: Are you sure you don't mean Cleartext-Password?
>> WARNING: See "man rlm_pap" for more information.
>   Could you please try reading the debug output, and following it's
> recommendations?

Yes, that can't be stressed enough! But I did, I just had the 
misunderstanding, that Cleartext-Password means the *value* of User-Password 
- and not is an attribute name by itself. And in "man rlm_pap" 
Cleartext-Password is not mentioned.

>> Do I need rlm_pap now in 2.0.3 for using "files"-authentication?
>> Any ideas, how I can make users/files authentication work again?
>   READ the debug output?

Yes, and I had tried using the pap-module, but with no success. It was the 
wrong direction, as I know now.

>   Honestly.  We don't just say "run in debugging mode" because we want
> the logs to be posted to the list.  YOU need to read the output.  It's
> not hard.  Things like "WARNING" and "read the man page" should indicate
> to most people that maybe reading the "man" page would be a good idea.

True as always. But sometimes debug-logs can be wrong interpreted and need 
additional information.

Now, that I know that "Cleartext-Password" is mandatory in 2.x, I have 
another problem. I can't take the same users-file I use with my other 
1.1.7-Servers without conversion. Freeradius-2.x is in my situation not 
downward-compatible, right?. Is it a dumb idea, to convert  Password --> 
Cleartext-Password in a later release, when "compat = cistron" ist used?
Or to accept both terms, "Password" and "Cleartext-Password"?


More information about the Freeradius-Users mailing list