problem with pap password normalization

Amstaff zg amstaff.zg at gmail.com
Mon Nov 12 12:14:55 CET 2018


That worked,

Thank you.
On Fri, Nov 9, 2018 at 6:56 PM Alan DeKok <aland at deployingradius.com> wrote:
>
>
>
> > On Nov 6, 2018, at 11:51 AM, Amstaff zg <amstaff.zg at gmail.com> wrote:
> >
> > Hi,
> > I have problem with pap password normalization when radius fetches
> > password from ldap in base64 format.
> >
> > Here is example where it works:
> > FreeRADIUS Version 3.0.16 Copyright (C) 1999-2017 The FreeRADIUS
> > server project and contributors There is NO warranty; not even for
> > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may
> > redistribute copies of FreeRADIUS under the terms of the GNU General
> > Public License For more information about these matters, see the file
>
>   The debug output has been *completely* mangled.  It's been word wrapped to the point where it's almost impossible to see what's going on.
>
> > I think line:
> >
> > (1) pap: Normalizing Password-With-Header from base64 encoding, 28
> > bytes -> 21 bytes (1) pap: Unknown header {{?v??w}} in
> > Password-With-Header, re-writing to Cleartext-Password (1) pap:
> > Removing &control:Password-With-Header
> >
> > is making this problem. pap module is trying to normalize password
> > from ldap no matter that
> >
> > pap { normalise = no } is set.
>
>   When you put the password into the "Password-With-Header" attribute, you are telling FreeRADIUS that the password has a header.  So it makes no sense to say "yes, it has a header, but no, we don't want to look at that header".
>
>   If you want to use the password *as is* from LDAP, then assign it to the Cleartext-Password attribute.  That won't look for headers, and will compare the passwords as-is.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list