Patch: Support for {BASE64_MD5} LDAP passwords in rlm_ldap and rlm_pap

Peter Lambrechtsen plambrechtsen at
Sun Nov 13 23:55:12 CET 2011

Attached is a minor patch to include support for BASE64_MD5 encoded
passwords in a LDAP directory (or anywhere else it may be, as the pap
module does the authenticate).

In ldap the record would look like:

userPassword: {BASE64_MD5}/F4DjTilcDIIVEHn/nAQsA==

If the password was helloworld

Thankfully the pap module is clever enough to normalize the password from
Base64 encoding automatically so the BASE64_MD5 tag just needed to be added
under header_names array, and then do the MD5.  So no code change was
really required.

The debug trace shows:

[ldap] looking for check items in directory...
  [ldap] userPassword -> Password-With-Header ==
[ldap] looking for reply items in directory...
[ldap] user peterltest authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "helloworld"
[pap] Using MD5 encryption.
[pap] Normalizing MD5-Password from base64 encoding
[pap] User authenticated successfully
++[pap] returns ok


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: B64.patch
Type: application/octet-stream
Size: 1193 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list