"known good" error

Thu Sep 24 14:16:34 CEST 2009

Thanks Ivan for your reply. Here is the ldap configuration section:

ldap {
server = "x.x.x.x"
identity = "cn=username"
password = password
basedn = "ou=email,o=data,c=eg"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
password_header = "{CRYPT}"
ldap_connections_number = 100
timeout = 15
timelimit = 10
net_timeout = 5

tls {
start_tls = no
}

profile_attribute = "radiusProfileDn"
         access_attr = "dialupAccess"
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = radiususerPassword
}

and here is the debug message

++[ldap] returns ok
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "123456"
[pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> username
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0

Thanks for your support.
Wessam

On Thu, Sep 24, 2009 at 1:37 PM, Ivan Kalik <tnt at kalik.net> wrote:

> >    I decided to install free radius 2.1.6-2 to test it and then to
> upgrade
> > my existing versions in my servers. I configured my free radius to use
> > ldap.
> > When I tried to authenticate from the new radius it gave me the following
> > message "from radius -X".
> >
> >  Replacing User-Password in config items with Cleartext-Password.     !!!
> >
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> > !!! Please update your configuration so that the "known good"
> > !!!
> > !!! clear text password is in Cleartext-Password, and not in
> > User-Password.
> > !!!
> >
> >
> > Note that when I wrote the password encrypted  "like
> > *%@&ksjd%@sdgsadgjhsb"
> > I was able to login but when I wrote the password in clear text  "like
> > test"
> > I failed to login.
>
> Password in ldap probably has a header. You can ignore the message then,
> because server will convert User-Password to appropriate password
> attribute on it's own (Crypt-Password for {crypt}, SHA-Password for {sha}
> etc.) if auto-header is enabled. Post the whole debug.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090924/d8415b18/attachment.html>