bug in rlm_ldap authorization password handling?
tnt at kalik.net
tnt at kalik.net
Tue Nov 17 01:21:02 CET 2009
> I'm a little confused by how rlm_ldap is handing passwords. First let me
> state what I believe to be true, if I'm wrong on any of these
> assumptions please correct me.
They are, sort of, correct.
> Or am I just missing something?
You are looking at rlm_ldap in isolation. rlm_pap will "handle" these "bugs".
> It seems to be there are three bugs:
>
> 1) inserting PW_USER_PASSWORD into config instead of PW_CLEARTEXT_PASSWORD
That will happen in rlm_pap (which should always be listed in authorize).
> 2) not documenting auto_header
It's documented in rlm_pap. You are supposed to use that setting, not the
one in rlm_ldap (I think that one is there for historical reasons).
> 3) if auto_header is enabled not defaulting to clear text if no prefix
> is supplied.
Again, that will happen in rlm_pap. I believe that things are done this
way in rlm_ldap because that code is from the time when User-Password was
used as password configuration attribute.
I am sure Alan will have a good explanation why is rlm_ldap left creating
the User-Password attribute on the control list which then rlm_pap
converts into appropriate password attribute. My guess is to avoid code
duplication.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list