Another LDAP/RADIUS integration problem.
John Dennis
jdennis at redhat.com
Fri Jul 23 22:11:46 CEST 2010
On 07/23/2010 02:59 PM, Alan DeKok wrote:
> Tom Leach wrote:
>> To correct the bind problem, I added an ACL to the directory to allow
>> 'uid=admin,o=radtree' to access the userPassword attribute, then
>> configured the ldap module to use 'uid=admin,o=radtree' as the identity
>> and 'secret' as the password. Now the bind succeeds, the -X output says
>> that it's mapping userPassword -> Crypt-Password ==
>> "{crypt}4gOgBZqZgtwIw"
>
> The "Crypt-Password" attribute is supposed to be the crypt'd version
> of the password *without* the "{crypt}" header. Change the mapping from
> "userPassword -> Crypt-Password" to "userPassword -> User-Password", and
> it will work.
>
> The PAP module will look for the "{crypt}" header, and create a
> Crypt-Password with the appropriate value.
Hmm ...
Just from looking at the rlm_ldap code (not actual testing) I thought if
auto_header was set to True in the ldap config then rlm_ldap after
looking up the configured password attribute would perform the steps you
describe above. (strip the hash prefix and add a new attribute with the
correct attribute type for the hash type)
Am I confused?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list