yet ANOTHER EAP-TTLS/PAP with OpenLDAP problem ...
Sylvain Robitaille
syl at alcor.concordia.ca
Sun Mar 30 05:23:31 CEST 2008
On Sat, 29 Mar 2008, Arran Cudbard-Bell wrote:
>> If there's a {ssha} header on the password, then the PAP module should
>> figure it out.
>
> But it doesn't appear to be... you have got the autoheader option set
> in the PAP module?
>
> pap {
> auto_header = yes
> }
Yes, that's configured.
> *nothing* will work until you get the hash into the correct attribute
> with the header stripped off.
Right. As already noted, radtest against a user entry in our LDAP data
*does* work. I just need to get this working inside the TTLS tunnel.
> Fudging it by creating a static mapping userPassword -> SSHA-Password
> in ldap.attrmap won't work because the header will still be present in
> the hash...
Ok, which suggests that my attempt to use "password_radius_attribute"
(if that parameter still existed) in the ldap configuration would have
still failed, because I was trying to set it to SSHA-Password there.
Alan's suggestion was to map it tp User-Password, though, which is where
rlm_pap *would* know how to deal with it.
Thanks, of course, for your continued interest ...
--
----------------------------------------------------------------------
Sylvain Robitaille syl at alcor.concordia.ca
Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
More information about the Freeradius-Users
mailing list