Authenticate against FreeIPA PBKDF2_SHA256

Alan DeKok aland at
Wed Apr 7 14:43:14 CEST 2021

On Apr 7, 2021, at 8:27 AM, Marc Sauer <m.sauer at> wrote:
> I would like to authenticate against our FreeIPA servers. The problem is that our passwords are stored in the following format:

  That's not supported.  v3 supports PBKDF2 with various HMACs.  See src/modules/rlm_pap/rlm_pap.c

> FreeRADIUS did not support this at all until version 3.0.22 [1]. The functionality has been merged into the v3.0.x branch in September 2020.
> Unfortonately it still does not work in 3.0.22 with FreeIPA passwords.
> The example-password I'm trying to authenticate against has the following content:
> {PBKDF2_SHA256}AAAIAEwR4+g...

  That isn't supported.  It's probably not hard to add, but... there's a ton of variants.

> When I try to authenticate against it, it shows the following error when running freeradius -X:
> (1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, re-writing to Cleartext-Password

  That seems pretty clear: "Unknown header".

> What I don't understand is, that FreeRADIUS says "Unknown header", although the PBKDF2_SHA256 support seems to be implemented.

  What makes you say that?

  PBKDF2 is a whole family of password formats.  Which means that each one has to be supported explicitly.

> Is there anything wrong with my configration or is there still something wrong with the implementation of those kinds of hashes in FreeRADIUS?

  The error message is clear: "Unknown header".  It does NOT say "found known header, and then the password didn't match".

> If I'd know C, I would love to help implementing the support.

  We'll take a look, but we can't promise any particular time frame.

  Alan DeKok.

More information about the Freeradius-Users mailing list