Unable to retrieve LDAP attribute in original format

ST Wong (ITSC) ST at itsc.cuhk.edu.hk
Thu Jun 18 06:18:31 CEST 2020 

Hi all,

Problem resolved after adding pap in authorize session which does the normalization.     
Sorry for the careless mistake in setup.  

Thanks and rgds
/ST Wong

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+st=itsc.cuhk.edu.hk at lists.freeradius.org> On Behalf Of ST Wong (ITSC)
Sent: Wednesday, June 17, 2020 9:21 AM
To: Freeradius-Users at lists.freeradius.org
Subject: Unable to retrieve LDAP attribute in original format

Hi all,

We've upgraded freeradius from 2.x to 3.0.21.   We note that LDAP attributes are always returned as hex string and we're unable to get the attribute as it is.
e.g. we defined in mods-enabled/ldap:

        update {
                control:NT-Password             += 'sambaNtPassword'


while sambaNtPassword value in LDAP is just alphanumeric string without any escape character.

Debug log shows the value in hex (decoding the hex into ASCII matches with the value in LDAP):

Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: Processing user attributes Tue Jun 16 11:41:43 2020 : Debug: (8) ldap: NT-Password := 0x3034324544323534394233353637304441443342394130374444424339363233


Then we got error "NT-Password has not been normalized by the 'pap' module (likely still in hex format).  ".

Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2:   authenticate {
Tue Jun 16 11:51:43 2020 : Debug: (8) eap_mschapv2:     modsingle[authenticate]: calling mschap (rlm_mschap)
Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: NT-Password has not been normalized by the 'pap' module (likely still in hex format).  Authentication may fail Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured.  Cannot create NT-Password Tue Jun 16 11:51:43 2020 : WARNING: (8) mschap: No Cleartext-Password configured.  Cannot create LM-Password


Data in LDAP server works in freeradius 2.x.
Would anyone please help?

Thanks a lot.
Regards
/ST Wong

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list