problem with pap password normalization
Alan DeKok
aland at deployingradius.com
Fri Nov 9 18:56:21 CET 2018
> On Nov 6, 2018, at 11:51 AM, Amstaff zg <amstaff.zg at gmail.com> wrote:
>
> Hi,
> I have problem with pap password normalization when radius fetches
> password from ldap in base64 format.
>
> Here is example where it works:
> FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS
> server project and contributors There is NO warranty; not even for
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may
> redistribute copies of FreeRADIUS under the terms of the GNU General
> Public License For more information about these matters, see the file
The debug output has been *completely* mangled. It's been word wrapped to the point where it's almost impossible to see what's going on.
> I think line:
>
> (1) pap: Normalizing Password-With-Header from base64 encoding, 28
> bytes -> 21 bytes (1) pap: Unknown header {{?v??w}} in
> Password-With-Header, re-writing to Cleartext-Password (1) pap:
> Removing &control:Password-With-Header
>
> is making this problem. pap module is trying to normalize password
> from ldap no matter that
>
> pap { normalise = no } is set.
When you put the password into the "Password-With-Header" attribute, you are telling FreeRADIUS that the password has a header. So it makes no sense to say "yes, it has a header, but no, we don't want to look at that header".
If you want to use the password *as is* from LDAP, then assign it to the Cleartext-Password attribute. That won't look for headers, and will compare the passwords as-is.
Alan DeKok.
More information about the Freeradius-Users
mailing list