After fighting with an upgrade from freeradius-1.0.3 to 2.1.1, both do a
simple LDAP authorize/PAP authenticate (no tls, no eap, no chap, no
inner-tunnel, nothing else), I've stumbled on what seems to fix my
problem, and am curious if my fix makes sense, and will continue to be
supported. I'm not including full debug output and config files in this
post because I'm not looking for help on what I've done wrong, just
whether this part of the configuration is valid. I'm happy to provide
more detail if its desired.
Built from freeradius-server-2.1.1 source, downloaded about 2 weeks ago
from the Freeradius main site, on FreeBSD 7-1-PRERELEASE.
With 2.1.1, I had no trouble getting rlm_ldap to connect to my OpenLDAP
server, and after putting in a Cleartext-Passwrod entry in
ldap.attrsmap, rlm_ldap would authorize fine, and everything seemed ok,
except I couldn't get pap to understand the encryption scheme:
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "{crypt}$1$Moq9XEC8$PRA5/NGFUrskxI52Nv8rm."
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[test/testing] (from client localhost port 1)
No amount of changing settings in modules/pap and other config files
would help. I finally noticed in the rlm_ldap debug output "auto_headers
= no".
So, I set auto_headers = yes in modules/ldap, and login passes. Remove
it, and login fails.
Is it only some odd ball, simplistic configurations like mine that this
should be required? I was unable to find any mention of this as an ldap
module setting except in rlm_ldap.c, which I didn't think to look in
until after the fact.
Thank you for your time,
tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
