Check LDAP password with SHA512

Will W. will at damagesinc.net
Tue Feb 2 21:24:30 CET 2016 

Alan,

I do appreciate everyones help, but as there are multiple people responding
and not just you, I am address multiple people helping me.
Now I am sorry if I seem to be ignoring what has been told to me but
looking at the thread of this e-mail you will that  actually the radtest
output is from the debug output from radiusd -X, provided as instructed due
to a push that was done a few days ago. Sorry about miss labeling it.

Per previous e-mail in thread from for modifying
/usr/local/etc/raddb/site-enabled/default
*Arran Cudbard-Bell <a.cudbardb at freeradius.org <a.cudbardb at freeradius.org>>*
























*Unknown error means ldap_set_option returned an error without setting an
erroron the ldap handle.Reading through the OpenLDAP code, it seems that
this particular option is onlyavailable as a global, so we're not allowed
to pass in an ldap handle.This is undocumented behaviour.I'll push a fix.As
for module ordering, edit sites-available/defaultRemove everything from the
authorize section, and just list the modulesldappapin that order.Remove
everything from the auth section, and just list pap.It should work.-Arran*
The config file is being modified and I am only posting progress update as
I am not seeing anything from the PAP modules other than the following

rlm_ldap (ldap) - Bind successful

(0)      ldap (ok)
(0)      pap - WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(0)      pap - WARNING: Authentication will fail unless a "known good"
password is available
(0)      pap (noop)
When I am seeing the following from the bind user


rlm_ldap (ldap) - Bind successful
(1)      ldap - Reserved connection (6)
(1)      ldap - EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1)      ldap - --> (uid=demouser)
(1)      ldap - Performing search in "ou=Users,dc=myhost,dc=com" with
filter "(uid=bind-user)", scope "sub"
(1)      ldap - Waiting for search result...
(1)      ldap - User object found at DN
"uid=bind-user,ou=Users,dc=myhost,dc=com"
(1)      ldap - Processing user attributes
(1)      ldap - &control:Password-With-Header +=
{CRYPT}$6$cbea6d7932dfa76b$YgORZH6XtDXmFEDrcBnX3Ao6JDxACy.BRMTNZ8DkF0idg3cM2D3gPEHRfA05f8dQx14o/4Fi575xXJ.2yDkDA/
(1)      ldap - Released connection (6)

...

rlm_ldap (ldap) - Bind successful
(1)      ldap (updated)
(1)      pap - Converted: Password-With-Header -> Crypt-Password
(1)      pap - Removing &control:Password-With-Header
(1)      pap (updated)
True putting things into the e-mail thread seeming rude, so I tried to put
it in pastebin so that it would not show up in the e-mails.


On Tue, Feb 2, 2016 at 12:02 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Feb 2, 2016, at 3:00 PM, Will W. <will at damagesinc.net> wrote:
> >
> > Ok Still having issues, I have the lasted pull from this morning running
> on
> > CentOS 7.2
> > It seems that I can only see it trying cleartext, is there a way to get
> the
> > PAP module to a higher debug level so I can see what cipher it is trying
> > against the LDAP server?
> >
> >
> > Config file for default after putting in the changes
> > http://pastebin.com/Z7H3tjxm
>
>   We've told you that we don't need the configuration files.
>
> > Here is the output from radtest
> > http://pastebin.com/GfBkbFxY
>
>   We've told you that we don't need the output of radtest.
>
>   We've told you we need to see the debug output.
>
>   Not to be rude.. but you're being rude.
>
>   Follow instructions, or stop asking questions on this list.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list