differences in handling of hashed passwords from LDAP between version 2 and 3

Wirth, Oliver O.Wirth at gsi.de
Mon Oct 14 17:16:24 CEST 2019 

We are using freeradius for EDUROAM authentication with an oracle-ldap as password store. Actually we are using still radius version 2, but we now install a new radius version 3.

We found the following different behavior between version 2 and version3 which make our authentication fail:

freeradius receives user password from oracle-ldap in the following form:
(1) ldap: control:Password-With-Header += '{X- ORCLIFSMD5}***'
(1) ldap: control:Password-With-Header += '{X- ORCLWEBDAV}***'
(1) ldap: control:Password-With-Header += '{MD5}***'
(1) ldap: control:Password-With-Header += '{X- ORCLLMV}***'
(1) ldap: control:Password-With-Header += '{X- ORCLNTV}***'

The first two Headers are unknown to radius, that's why our Freeradius 2.2.5 is going to the next Password-with-Header until it finds a usable one and then can authenticate the user successfully:

- [pap] Found unknown header {{X- ORCLIFSMD5}}: Not doing anything 
- [pap] Found unknown header {{X- ORCLWEBDAV}}: Not doing anything 
- [pap] Normalizing MD5-Password from base64 encoding 
- [pap] Normalizing LM-Password from hex encoding 
- [pap] Normalizing NT-Password from hex encoding

BUT our new installed Freeradius 3.0.12 is no longer skipping unknown hashes, instead tries to re-write the first one to cleartext and ignores the other hashes. Of course the authentication fails:

(1) pap: Unknown header {{X- ORCLIFSMD5}} in Password-With-Header, re-writing to Cleartext-Password
(1) pap: Removing &control:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
(1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header

Is there a reason for this change version 3?
Or are we doing something wrong or is it possible to tell freeradius 3 to ignore unknown password hashes?

Regards Oliver

More information about the Freeradius-Users mailing list