differences in handling of hashed passwords from LDAP between version 2 and 3

Mon Oct 14 17:37:48 CEST 2019

On Oct 14, 2019, at 11:16 AM, Wirth, Oliver <O.Wirth at gsi.de> wrote:
> 
> We are using freeradius for EDUROAM authentication with an oracle-ldap as password store. Actually we are using still radius version 2, but we now install a new radius version 3.

  That's good.

> We found the following different behavior between version 2 and version3 which make our authentication fail:
> 
> freeradius receives user password from oracle-ldap in the following form:
> (1) ldap: control:Password-With-Header += '{X- ORCLIFSMD5}***'
> (1) ldap: control:Password-With-Header += '{X- ORCLWEBDAV}***'

  Yeah, those are non-standard and not really well documented.

> (1) ldap: control:Password-With-Header += '{MD5}***'
> (1) ldap: control:Password-With-Header += '{X- ORCLLMV}***'
> (1) ldap: control:Password-With-Header += '{X- ORCLNTV}***'
> 
> The first two Headers are unknown to radius, that's why our Freeradius 2.2.5 is going to the next Password-with-Header until it finds a usable one and then can authenticate the user successfully:

  OK.

> BUT our new installed Freeradius 3.0.12

  Why?  3.0.19 has been out for months.  Please use that.  Packages are available at http://packages.networkradius.com

> is no longer skipping unknown hashes, instead tries to re-write the first one to cleartext and ignores the other hashes. Of course the authentication fails:
> 
> (1) pap: Unknown header {{X- ORCLIFSMD5}} in Password-With-Header, re-writing to Cleartext-Password
> (1) pap: Removing &control:Password-With-Header
> (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
> (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
> (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
> (1) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password).  Ignoring &config:Password-With-Header
> 
> Is there a reason for this change version 3?

  Testing with real-world users.  There are people with {} in their passwords.

> Or are we doing something wrong or is it possible to tell freeradius 3 to ignore unknown password hashes?

  Hmm.. you can't really change that behaviour.  It may be worth adding a list of headers to ignore.

  Which passwords are the ones being used?  The {X- ORCLNTV} one?  In which case you might be able to just grab that one.

	if (control:Password-with-Header =~ /^({X- ORCLNTV}.*)$/) {
		update control {
			Tmp-String-0 := "%{1}"
			Password-With-Header !* ANY
		}

		update control {
			Password-With-Header := &control:Tmp-String-0
		}
	}
	pap

  I think that should work.

  Alan DeKok.