rlm-ldap error for chap

John Dennis jdennis at redhat.com
Wed Feb 24 19:09:48 CET 2010

I owe you an apology, I said not to edit /etc/raddb/ldap.attrmap, but 
you do. I always forget that the clear text password mapping is not in 
ldap.attrmap by default, I assume that because of the inherent security 
risks. By forcing you to add it you'll be forcefully aware of what 
you've done. Here's the issue, you don't want unprivileged user's from 
reading someones password from the directory. It's vital you protect the 
clear text password with some type of access control in your ldap 
server. How you do that depends on the particular ldap server you're 
using. You might consider using precomputed hashes such as LT and NT. 
That would mitigate the exposure of a clear text password, but hashes 
should be protected as well by access control.

Now to make matters a touch bit more complicated FreeRADIUS changed how 
it accessed the clear text password in its set of attributes. In older 
versions of FreeRADIUS it was known as User-Password, but that produced 
an unfortunate ambiguity and it was later modified to be
Cleartext-Password, I'm sorry but I don't remember the version this was 
modified in.

For old versions of FreeRADIUS you'll need this in ldap.attrmap

checkItem   User-Password      userPassword

For modern versions of FreeRADIUS you'll need this in ldap.attrmap

checkItem   Cleartext-Password      userPassword

If you're still having problems then please follow-up with the full 
contents of your config file (not snippets) and the output of
radiusd -X.

John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list