AW: AW: Freeradius + LDAP password trouble

John Dennis jdennis at
Mon Jul 19 14:45:23 CEST 2010

On 07/19/2010 08:17 AM, Lionne Stangier wrote:
>> Here are a couple of things to check which often trip folks up:
>> 1) is the userPassword attribute defined in $RADDB/ldap.attrmap ?
>> By default it isn't (I've never understood why it isn't) You should have
>> a line in that file which looks like this:
>> checkItem   Cleartext-Password      userPassword
> Nice to know. I don’t use this line before :) thank you.
> I used ldapsearch -h ldap.... -b dc=allesklar,dc=com -x "uid=lionne.stangier"
> I get the userPassword but encoded :(

Is there a double colon (::) after the userPassword attribute name in 
the ldapsearch result? (e.g. userPassword:: xxxxxxxxxxxxxxxxx). If so 
that means the attribute value was binary (had some non-ascii printing 
character in it) so it was base64 encoded. This is a bit obscure, I got 
tripped up by it recently too :-) Try base64 decoding the the value. I 
bet it'll look like {hash}xxxxxxxxxxxx where hash is one of sha1, md5, 
etc. and xxxxxxxxxxx is the hash digest of the password. FWIW it's not 
unusual when a hashing to a digest to end up with a non-ascii character 
(thus triggering the base64 encoding)

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list