PAP authentication and multiple LDAP userpassword attributes

Alan DeKok aland at deployingradius.com
Mon Feb 9 17:48:22 CET 2009 

Christophe Saillard wrote:
> I'm working on upgrading from FR 1.1.7 to FR 2.1.3.
> 
> I use FR for EAP-TTLS/PAP authentication with LDAP.
> 
> FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword
> attributes which are stored with crypt and/or MD5 hash, the passwords
> are not the same (even it's better if the are) :

  No.  In 1.1.7, the server is doing LDAP "bind as user" for
authentication.  It is *completely* ignoring the crypt/MD5 passwords.

...
> rlm_ldap: Added password {MD5}xxxxx in check items
> rlm_ldap: Added password {crypt}xxxxx in check items
...
>   Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP_OSIRIS for request 29
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "saillard" with password "mycleartextpassword"
> rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire
> rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1
> rlm_ldap: setting TLS mode to 1
> rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+
> to ldaps://ldapuds.u-strasbg.fr
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user mylogin authenticated succesfully

  See?  LDAP "bind as user".

> Now with FR 2.1.3, it looks like only the first password attribute is
> used :

  In 2.1.3, the "bind as user" functionality isn't used if the LDAP
server returns a "known good" password.

...
> [ldap] Added User-Password = {crypt}xxxxx in check items
> [ldap] Added User-Password = {MD5}xxxxx in check items
...
> ++[pap] returns updated
> Found Auth-Type = PAP
> +- entering group authenticate {...}
> [pap] login attempt with password "mycleartextpassword"
> [pap] Using CRYPT encryption.
> [pap] Passwords don't match

  The solution is simple:

  (1) fix it so that the passwords are NOT returned from LDAP

or

  (2) force "Auth-Type := LDAP" inside of the TTLS tunnel.  This might
break other things, but it will make the server work the same way as in
1.1.7.

  Alan DeKok.

More information about the Freeradius-Users mailing list