AW: AW: Freeradius + LDAP password trouble
John Dennis
jdennis at redhat.com
Mon Jul 19 14:45:23 CEST 2010
On 07/19/2010 08:17 AM, Lionne Stangier wrote:
>> Here are a couple of things to check which often trip folks up:
>
>> 1) is the userPassword attribute defined in $RADDB/ldap.attrmap ?
>> By default it isn't (I've never understood why it isn't) You should have
>> a line in that file which looks like this:
>
>> checkItem Cleartext-Password userPassword
>
> Nice to know. I don’t use this line before :) thank you.
>
>
>
> I used ldapsearch -h ldap.... -b dc=allesklar,dc=com -x "uid=lionne.stangier"
>
> I get the userPassword but encoded :(
Is there a double colon (::) after the userPassword attribute name in
the ldapsearch result? (e.g. userPassword:: xxxxxxxxxxxxxxxxx). If so
that means the attribute value was binary (had some non-ascii printing
character in it) so it was base64 encoded. This is a bit obscure, I got
tripped up by it recently too :-) Try base64 decoding the the value. I
bet it'll look like {hash}xxxxxxxxxxxx where hash is one of sha1, md5,
etc. and xxxxxxxxxxx is the hash digest of the password. FWIW it's not
unusual when a hashing to a digest to end up with a non-ascii character
(thus triggering the base64 encoding)
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list